msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m44s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-10-19 09:06:27 +01:00
parent f7493e37e1
commit 0169be5527
14 changed files with 527 additions and 115 deletions
Download Patch File Download Diff File Expand all files Collapse all files

129
func/cdi_4400_hardening/4420_hardening_fail2ban.sh
View File

@@ -17,12 +17,14 @@ guard_sourcing
# Globals:
# ARY_ALLOW_IPV4
# ARY_ALLOW_IPV6
# RECOVERY
# TARGET
# VAR_FINAL_FQDN
# VAR_FINAL_IPV4
# VAR_FINAL_IPV6
# VAR_LINK_IPV6
# VAR_PROVIDER
# VAR_RUN_RECOVERY
# VAR_SSH_PORT
# Arguments:
# None
@@ -32,29 +34,33 @@ guard_sourcing
hardening_fail2ban() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_logfile="/root/.ciss/cdi/log/4420_hardening_fail2ban.log"
declare var_target="${TARGET}"
chroot_logger "${TARGET}${var_logfile}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc/fail2ban/jail.d"
cp "${TARGET}/etc/fail2ban/fail2ban.conf" "${TARGET}/root/.ciss/cdi/backup/etc/fail2ban/fail2ban.conf.bak"
mv "${TARGET}/etc/fail2ban/jail.d/defaults-debian.conf" "${TARGET}/root/.ciss/cdi/backup/etc/fail2ban/jail.d/defaults-debian.conf.bak"
chroot_logger "${var_target}${var_logfile}"
mkdir -p "${var_target}/root/.ciss/cdi/backup/etc/fail2ban/jail.d"
cp "${var_target}/etc/fail2ban/fail2ban.conf" "${var_target}/root/.ciss/cdi/backup/etc/fail2ban/fail2ban.conf.bak"
mv "${var_target}/etc/fail2ban/jail.d/defaults-debian.conf" "${var_target}/root/.ciss/cdi/backup/etc/fail2ban/jail.d/defaults-debian.conf.bak"
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
insert_header "${TARGET}/etc/fail2ban/fail2ban.local"
insert_comments "${TARGET}/etc/fail2ban/fail2ban.local"
cat << 'EOF' >> "${TARGET}/etc/fail2ban/fail2ban.local"
insert_header "${var_target}/etc/fail2ban/fail2ban.local"
insert_comments "${var_target}/etc/fail2ban/fail2ban.local"
cat << 'EOF' >> "${var_target}/etc/fail2ban/fail2ban.local"
[DEFAULT]
allowipv6 = auto
EOF
insert_header "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
insert_comments "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
insert_header "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
insert_comments "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
if [[ "${#ARY_ALLOW_IPV4[@]}" -gt 0 ]]; then
### fail2ban ufw aggressive mode, one attempt for jumphost configuration.
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
[DEFAULT]
usedns = yes
ignoreip = 127.0.0.0/8 ::1
@@ -64,28 +70,37 @@ EOF
if [[ "${VAR_LINK_IPV6}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
${VAR_FINAL_IPV6}/64
EOF
fi
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
# Jumphost
${ARY_ALLOW_IPV4[*]}
EOF
if [[ "${VAR_LINK_IPV6}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
${ARY_ALLOW_IPV6[*]}
EOF
fi
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
maxretry = 8
findtime = 24h
bantime = 24h
[recidive]
enabled = true
filter = recidive
logpath = /var/log/fail2ban/fail2ban.log*
banaction = iptables-allports
bantime = 32d
findtime = 384d
maxretry = 4
[sshd]
enabled = true
backend = systemd
@@ -112,7 +127,6 @@ logpath = /var/log/ufw.log
maxretry = 1
findtime = 24h
bantime = 24h
protocol = tcp,udp
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
@@ -120,7 +134,7 @@ EOF
else
### fail2ban ufw aggressive mode, 32 attempts for NO jumphost configuration.
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
[DEFAULT]
usedns = yes
ignoreip = 127.0.0.0/8 ::1
@@ -130,16 +144,25 @@ EOF
if [[ "${VAR_LINK_IPV6}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
${VAR_FINAL_IPV6}/64
EOF
fi
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
maxretry = 8
findtime = 24h
bantime = 24h
[recidive]
enabled = true
filter = recidive
logpath = /var/log/fail2ban/fail2ban.log*
banaction = iptables-allports
bantime = 32d
findtime = 384d
maxretry = 4
[sshd]
enabled = true
backend = systemd
@@ -166,7 +189,6 @@ logpath = /var/log/ufw.log
maxretry = 8
findtime = 24h
bantime = 24h
protocol = tcp,udp
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
@@ -176,16 +198,19 @@ EOF
### Provider Hetzner needs special ignoreip rules.
if [[ "${VAR_PROVIDER}" == "hetzner" ]]; then
sed -i '0,/^maxretry/{s/^maxretry/# Hetzner Intern\n 172.31.1.1\/16\n&/}' "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
sed -i '0,/^maxretry/{s/^maxretry/# Hetzner Intern\n 172.31.1.1\/16\n&/}' "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
fi
insert_header "${TARGET}/etc/fail2ban/filter.d/ciss.ufw.conf"
insert_comments "${TARGET}/etc/fail2ban/filter.d/ciss.ufw.conf"
cat << EOF >> "${TARGET}/etc/fail2ban/filter.d/ciss.ufw.conf"
insert_header "${var_target}/etc/fail2ban/filter.d/ciss.ufw.conf"
insert_comments "${var_target}/etc/fail2ban/filter.d/ciss.ufw.conf"
cat << EOF >> "${var_target}/etc/fail2ban/filter.d/ciss.ufw.conf"
[Definition]
failregex = ^.*UFW BLOCK.* SRC=<HOST> .*DPT=\d+ .*
failregex = \[UFW BLOCK\].+SRC=<HOST> DST
ignoreregex =
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
# Hardening of fail2ban systemd: https://wiki.archlinux.org/title/fail2ban#Service_hardening
@@ -193,12 +218,12 @@ EOF
# file. "CAP_NET_ADMIN" and "CAP_NET_RAW" allow fail2ban to operate on any firewall that has a command-line shell interface.
# By using 'ProtectSystem=strict' the filesystem hierarchy will only be read-only; 'ReadWritePaths' allows Fail2ban to have
# write access on required paths.
mkdir -p "${TARGET}/etc/systemd/system/fail2ban.service.d"
mkdir -p "${TARGET}/var/log/fail2ban"
mkdir -p "${var_target}/etc/systemd/system/fail2ban.service.d"
mkdir -p "${var_target}/var/log/fail2ban"
insert_header "${TARGET}/etc/systemd/system/fail2ban.service.d/override.conf"
insert_comments "${TARGET}/etc/systemd/system/fail2ban.service.d/override.conf"
cat << EOF >> "${TARGET}/etc/systemd/system/fail2ban.service.d/override.conf"
insert_header "${var_target}/etc/systemd/system/fail2ban.service.d/override.conf"
insert_comments "${var_target}/etc/systemd/system/fail2ban.service.d/override.conf"
cat << EOF >> "${var_target}/etc/systemd/system/fail2ban.service.d/override.conf"
[Service]
PrivateDevices=yes
PrivateTmp=yes
@@ -214,29 +239,53 @@ ProtectClock=true
ProtectHostname=true
EOF
cat << 'EOF' >> "${TARGET}/etc/fail2ban/fail2ban.local"
cat << 'EOF' >> "${var_target}/etc/fail2ban/fail2ban.local"
[Definition]
logtarget = /var/log/fail2ban/fail2ban.log
[Database]
# Keep entries for at least 384 days to cover recidive findtime.
dbpurgeage = 384d
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
### Logrotate must be updated too.
mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc/logrotate.d"
cp "${TARGET}/etc/logrotate.d/fail2ban" "${TARGET}/root/.ciss/cdi/backup/etc/logrotate.d/fail2ban.bak"
sed -i 's/\/var\/log\/fail2ban.log/\/var\/log\/fail2ban\/fail2ban.log/1' "${TARGET}/etc/logrotate.d/fail2ban"
touch "${TARGET}/var/log/fail2ban/fail2ban.log"
chmod 640 "${TARGET}/var/log/fail2ban/fail2ban.log"
mkdir -p "${var_target}/root/.ciss/cdi/backup/etc/logrotate.d"
cp "${var_target}/etc/logrotate.d/fail2ban" "${var_target}/root/.ciss/cdi/backup/etc/logrotate.d/fail2ban.bak"
cat << EOF >| "${var_target}/etc/logrotate.d/fail2ban"
/var/log/fail2ban/fail2ban.log {
if [[ ! -f "${TARGET}/var/log/ufw.log" ]]; then
install -d -m 0755 "${TARGET}/var/log"
: >| "${TARGET}/var/log/ufw.log"
chmod 0640 "${TARGET}/var/log/ufw.log"
daily
rotate 384
compress
# Do not rotate if empty
notifempty
delaycompress
missingok
postrotate
fail2ban-client flushlogs 1>/dev/null
endscript
# If fail2ban runs as non-root it still needs to have write access
# to logfiles.
# create 640 fail2ban adm
create 640 root adm
}
EOF
touch "${var_target}/var/log/fail2ban/fail2ban.log"
chmod 0640 "${var_target}/var/log/fail2ban/fail2ban.log"
if [[ ! -f "${var_target}/var/log/ufw.log" ]]; then
install -d -m 0755 "${var_target}/var/log"
: >| "${var_target}/var/log/ufw.log"
chmod 0640 "${var_target}/var/log/ufw.log"
fi
### Merge / Dump-Parse via 'fail2ban-client -d'. All '*.conf', '*.local', and 'jail.*'-files are read, inherited, and merged.
### Syntax, path, and key errors result in a non-zero exit.
chroot_script "${TARGET}" "
chroot_script "${var_target}" "
fail2ban-client -d >> ${var_logfile} && echo "OK: config parsed" >> ${var_logfile} || echo "ERROR: config invalid" >> ${var_logfile}
"

42
func/cdi_4400_hardening/4430_hardening_files.sh
View File

@@ -15,7 +15,10 @@ guard_sourcing
#######################################
# Hardening files and directories.
# Globals:
# None
# RECOVERY
# TARGET
# VAR_RUN_RECOVERY
# VAR_SETUP_PATH
# Arguments:
# None
# Returns:
@@ -23,22 +26,29 @@ guard_sourcing
#######################################
hardening_files() {
declare var_bin="" var_binary=""
declare var_target="${TARGET}"
chmod 0700 "${TARGET}/etc/cron.d" "${TARGET}/etc/cron.daily" "${TARGET}/etc/cron.hourly" "${TARGET}/etc/cron.monthly" \
"${TARGET}/etc/cron.weekly"
chmod 0700 "${TARGET}/etc/sudoers.d"
chmod 0700 "${TARGET}/etc/crontab"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
[[ -f "${TARGET}/etc/cron.deny" ]] && rm "${TARGET}/etc/cron.deny"
chmod 0700 "${var_target}/etc/cron.d" "${var_target}/etc/cron.daily" "${var_target}/etc/cron.hourly" "${var_target}/etc/cron.monthly" \
"${var_target}/etc/cron.weekly"
chmod 0700 "${var_target}/etc/sudoers.d"
chmod 0700 "${var_target}/etc/crontab"
rm -f "${TARGET}/etc/issue" "${TARGET}/etc/issue.net"
install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/issue" "${TARGET}/etc/issue"
install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/issue.net" "${TARGET}/etc/issue.net"
[[ -f "${var_target}/etc/cron.deny" ]] && rm "${var_target}/etc/cron.deny"
install -d -m 0700 -o root -g root "${TARGET}/root/.ansible"
### /etc/issue ---------------------------------------------------------------------------------------------------------------
rm -f "${var_target}/etc/issue" "${var_target}/etc/issue.net"
install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/issue" "${var_target}/etc/issue"
install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/issue.net" "${var_target}/etc/issue.net"
### /root/.ansible -----------------------------------------------------------------------------------------------------------
install -d -m 0700 -o root -g root "${var_target}/root/.ansible"
### /usr/bin/compiler --------------------------------------------------------------------------------------------------------
for var_bin in as gcc g++ cc clang; do
var_binary=$(readlink -f "${TARGET}/usr/bin/${var_bin}") || {
var_binary=$(readlink -f "${var_target}/usr/bin/${var_bin}") || {
do_log "info" "file_only" "4430() Binary: '${var_bin}' not found, skipping."
continue
}
@@ -47,6 +57,16 @@ hardening_files() {
}
done
### /etc/update-motd.d/10-uname ----------------------------------------------------------------------------------------------
mkdir -p "${var_target}/root/.ciss/cdi/backup/etc/update-motd.d"
cp -af "${var_target}/etc/update-motd.d/10-uname" "${var_target}/root/.ciss/cdi/backup/etc/update-motd.d/10-uname"
cat << 'EOF' >| "${var_target}/etc/update-motd.d/10-uname"
#!/bin/sh
uname -snrm
EOF
chmod 0755 /etc/update-motd.d/10-uname
guard_dir && return 0
}
### Prevents accidental 'unset -f'.

20
func/cdi_4400_hardening/4445_hardening_logrotate.sh
View File

@@ -13,9 +13,11 @@
guard_sourcing
#######################################
# Hardening logrotate.
# Hardening '/etc/logrotate'.
# Globals:
# RECOVERY
# TARGET
# VAR_RUN_RECOVERY
# Arguments:
# None
# Returns:
@@ -23,8 +25,6 @@ guard_sourcing
#######################################
hardening_logrotate() {
### Declare Arrays, HashMaps, and Variables.
declare -ar ary_logrotate=( "alternatives" "apt" "btmp" "chrony" "dpkg" "fail2ban" "rkhunter" "ufw" "unattended-upgrades" "usbguard")
declare var_file="" var_log=""
declare var_target="${TARGET}"
### Check for TARGET / RECOVERY.
@@ -39,8 +39,8 @@ hardening_logrotate() {
# rotate log files daily
daily
# keep 128 daily worth of backlogs
rotate 128
# keep 384 daily worth of backlogs
rotate 384
# hard cap: delete rotated logs older than 384 days
maxage 384
@@ -65,16 +65,6 @@ include /etc/logrotate.d
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
for var_log in "${ary_logrotate[@]}"; do
var_file="${var_target}/etc/logrotate.d/${var_log}"
[[ -e "${var_file}" ]] || continue
### Replace leading 'monthly'/'weekly' directives with 'daily', preserving indentation and trailing comments.
sed -E -i \
-e 's/^([[:space:]]*)(monthly|weekly)([[:space:]]*)(#.*)?$/\1daily\3\4/' \
-e 's/^([[:space:]]*)rotate([[:space:]]+[0-9]+)?([[:space:]]*)(#.*)?$/\1rotate 128\3\4/' \
"${var_file}"
done
guard_dir && return 0
}
### Prevents accidental 'unset -f'.

39
func/cdi_4400_hardening/4470_hardening_ufw.sh
View File

@@ -15,7 +15,10 @@ guard_sourcing
#######################################
# Hardening 'ufw'.
# Globals:
# RECOVERY
# TARGET
# VAR_FINAL_NIC
# VAR_RUN_RECOVERY
# VAR_SSH_PORT
# VAR_UFW_OUT
# Arguments:
@@ -26,16 +29,22 @@ guard_sourcing
hardening_ufw() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_logfile="/root/.ciss/cdi/log/4470_hardening_ufw.log"
declare -r var_rules="${TARGET}/etc/ufw/before6.rules"
declare var_target="${TARGET}"
chroot_logger "${TARGET}${var_logfile}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
if [[ ! -f "${TARGET}/var/log/ufw.log" ]]; then
touch "${TARGET}/var/log/ufw.log"
chmod 0640 "${TARGET}/var/log/ufw.log"
declare -r var_rules="${var_target}/etc/ufw/before6.rules"
chroot_logger "${var_target}${var_logfile}"
if [[ ! -f "${var_target}/var/log/ufw.log" ]]; then
touch "${var_target}/var/log/ufw.log"
chmod 0640 "${var_target}/var/log/ufw.log"
fi
chroot_script "${TARGET}" "
chroot_script "${var_target}" "
ufw --force reset
ufw logging medium
ufw default deny incoming
@@ -48,7 +57,7 @@ hardening_ufw() {
### Ensure that a standard set of the most commonly used ports are open if a default-'deny'-outbound policy is selected.
if [[ "${VAR_UFW_OUT}" = "deny" ]]; then
chroot_script "${TARGET}" "
chroot_script "${var_target}" "
ufw allow out 21/tcp comment 'Outgoing FTP'
ufw allow out 22/tcp comment 'Outgoing SSH'
ufw allow out 25/tcp comment 'Outgoing SMTP'
@@ -71,12 +80,11 @@ hardening_ufw() {
fi
### Allowing ICMP IPv4 outgoing per default.
sed -i "/# ok icmp code for FORWARD/i \# ok icmp codes for OUTPUT" "${TARGET}/etc/ufw/before.rules"
sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type destination-unreachable -j ACCEPT" "${TARGET}/etc/ufw/before.rules"
sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type time-exceeded -j ACCEPT" "${TARGET}/etc/ufw/before.rules"
sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type parameter-problem -j ACCEPT" "${TARGET}/etc/ufw/before.rules"
sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type echo-request -j ACCEPT" "${TARGET}/etc/ufw/before.rules"
sed -i "/# ok icmp code for FORWARD/i \# ok icmp codes for OUTPUT" "${var_target}/etc/ufw/before.rules"
sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type destination-unreachable -j ACCEPT" "${var_target}/etc/ufw/before.rules"
sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type time-exceeded -j ACCEPT" "${var_target}/etc/ufw/before.rules"
sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type parameter-problem -j ACCEPT" "${var_target}/etc/ufw/before.rules"
sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type echo-request -j ACCEPT" "${var_target}/etc/ufw/before.rules"
### Remove previous custom blocks (idempotent).
sed -i "/^# BEGIN custom MLD rules/,/^# END custom MLD rules/d" "${var_rules}"
@@ -90,10 +98,9 @@ hardening_ufw() {
### Useful if local daemons join multicast groups, and you want clean logs.
sed -i "/-A ufw6-before-output .*--icmpv6-type echo-request -j ACCEPT/i # BEGIN custom MLD OUTPUT rules\n-A ufw6-before-output -o ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 131 -d ff02::/16 -j ACCEPT\n-A ufw6-before-output -o ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 143 -d ff02::/16 -j ACCEPT\n# END custom MLD OUTPUT rules" "${var_rules}"
chroot_script "${var_target}" "echo 'y' | ufw enable 2>&1"
chroot_script "${TARGET}" "echo 'y' | ufw enable 2>&1"
chroot_script "${TARGET}" "ufw status verbose >> ${var_logfile}"
chroot_script "${var_target}" "ufw status verbose >> ${var_logfile}"
guard_dir && return 0
}

170
func/cdi_4500_user/4520_accounts_setup.sh
View File

@@ -18,6 +18,7 @@ guard_sourcing
# RECOVERY
# TARGET
# VAR_RUN_RECOVERY
# VAR_SETUP_PATH
# VAR_TEMP_PLAIN_MFA_SEED
# VAR_USER_MAX
# VAR_USER_ROOT_SPECIFIC
@@ -51,6 +52,10 @@ accounts_setup() {
chroot_logger "${var_target}${var_logfile}"
### Install CISS TOTP gate script.
install -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/usr/local/libexec/ciss_pam_2fa_gate.sh" \
"${var_target}/usr/local/libexec/"
### Update pam modules for 2fa.
write_pam_login "${var_target}"
write_pam_sshd "${var_target}"
@@ -166,7 +171,10 @@ EOF
if [[ "${user_root_authentication_2fa_ssh}" == "true" || "${user_root_authentication_2fa_tty}" == "true" ]]; then
write_google_authenticator_file "root" "0" "0" "${var_target}"
printf '%s\n' "root" >> "${var_target}/etc/ciss/2fa.users"
[[ "${user_root_authentication_2fa_ssh}" == "true" ]] && write_ciss_2fa_user "root" "sshd" "on" "${var_target}"
[[ "${user_root_authentication_2fa_tty}" == "true" ]] && write_ciss_2fa_user "root" "login" "on" "${var_target}"
fi
@@ -382,7 +390,10 @@ EOF
if [[ "${var_2fa_ssh}" == "true" || "${var_2fa_tty}" == "true" ]]; then
write_google_authenticator_file "${var_username}" "${var_uid}" "${var_gid}" "${var_target}"
printf '%s\n' "${var_username}" >> "${var_target}/etc/ciss/2fa.users"
[[ "${var_2fa_ssh}" == "true" ]] && write_ciss_2fa_user "${var_username}" "sshd" "on" "${var_target}"
[[ "${var_2fa_tty}" == "true" ]] && write_ciss_2fa_user "${var_username}" "login" "on" "${var_target}"
fi
@@ -652,7 +663,7 @@ EOF
cat << EOF >> "${var_lr_conf}"
/var/log/sudo.log {
daily
rotate 128
rotate 384
maxage 384
compress
delaycompress
@@ -666,18 +677,6 @@ EOF
}
EOF
### Verify logrotate config in chroot.
if ! chroot_script "${var_target}" "logrotate -d /etc/logrotate.conf >> ${var_logfile}"; then
do_log "warn" "file_only" "4520() Command: [chroot_script ${var_target} logrotate -d /etc/logrotate.conf] failed."
return "${ERR_VERIFY_LOGROTATE}"
else
do_log "info" "file_only" "4520() Command: [chroot_script ${var_target} logrotate -d /etc/logrotate.conf] successful."
fi
fi
return 0
@@ -721,6 +720,131 @@ read_totp_seed(){
# shellcheck disable=SC2034
readonly -f read_totp_seed
#######################################
# Writes idempotently '/etc/ciss/2fa.map'.
# Globals:
# None
# Arguments:
# 1: user
# 2: module {login, sshd, su, sudo}
# 3: status {on, off, 1, 0, yes, no, true, false}
# 4: target
# Returns:
# 0: on success
#######################################
write_ciss_2fa_user() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_u="${1}" var_m="${2,,}" var_s="${3}" var_target="${4}"
declare -r var_ciss_2fa_map="${var_target}/etc/ciss/2fa.map" var_map_file="${var_ciss_2fa_map}" \
var_tmp_file="${var_map_file}.tmp.$$" var_umask=$(umask)
declare -i col_idx="" found="0" status=""
declare line=""
umask 0077
# shellcheck disable=SC2249
case "${var_s,,}" in
on|1|yes|true) status="1" ;;
off|0|no|false) status="0" ;;
esac
# shellcheck disable=SC2249
case "${var_m}" in
login) col_idx=2 ;;
sshd) col_idx=3 ;;
su) col_idx=4 ;;
sudo) col_idx=5 ;;
esac
### Read the old map, rewrite with targeted change.
if [[ -r "${var_map_file}" ]]; then
### Read line by line; preserve comments/blank lines; drop duplicate user lines beyond the first.
while IFS= read -r line || [[ -n "${line}" ]]; do
### Preserve comments and blanks verbatim.
if [[ -z "${line}" || "${line:0:1}" == "#" ]]; then
printf '%s\n' "${line}" >> "${var_tmp_file}"
continue
fi
### Parse colon-separated fields (the rest is ignored).
declare u="" f_login="" f_sshd="" f_su="" f_sudo="" rest=""
IFS=':' read -r u f_login f_sshd f_su f_sudo rest <<< "${line}"
### Keep non-target users verbatim.
if [[ "${u}" != "${var_u}" ]]; then
printf '%s\n' "${line}" >> "${var_tmp_file}"
continue
fi
### If we already updated this user once, skip any further duplicates.
if [[ "${found}" -eq 1 ]]; then
### Drop duplicate occurrence to keep the file canonical.
continue
fi
### Fill missing fields with defaults=1.
[[ -n "${f_login}" ]] || f_login=1
[[ -n "${f_sshd}" ]] || f_sshd=1
[[ -n "${f_su}" ]] || f_su=1
[[ -n "${f_sudo}" ]] || f_sudo=1
### Toggle the requested column only.
# shellcheck disable=SC2249
case "${col_idx}" in
2) f_login="${status}" ;;
3) f_sshd="${status}" ;;
4) f_su="${status}" ;;
5) f_sudo="${status}" ;;
esac
printf '%s:%s:%s:%s:%s\n' "${u}" "${f_login}" "${f_sshd}" "${f_su}" "${f_sudo}" >> "${var_tmp_file}"
found=1
done < "${var_map_file}"
fi
### If user not found: append a new default line (all 1), with the column set.
if [[ "${found}" -eq 0 ]]; then
declare -i d_login="1" d_sshd="1" d_su="1" d_sudo="1"
# shellcheck disable=SC2249
case "${col_idx}" in
2) d_login="${status}" ;;
3) d_sshd="${status}" ;;
4) d_su="${status}" ;;
5) d_sudo="${status}" ;;
esac
printf '%s:%s:%s:%s:%s\n' "${var_u}" "${d_login}" "${d_sshd}" "${d_su}" "${d_sudo}" >> "${var_tmp_file}"
fi
if [[ -e "${var_tmp_file}" ]]; then
mv -f -- "${var_tmp_file}" "${var_map_file}" || rm -f -- "${var_tmp_file}"
fi
umask "${var_umask}"
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f write_ciss_2fa_user
#######################################
# Writes '.google_authenticator'-file for the respective user.
# Globals:
@@ -859,8 +983,8 @@ session required pam_env.so readenv=1 envfile=/etc/default/locale
# ===== CISS 2FA block ========
# If user is NOT listed -> succeed and SKIP next two lines (no TOTP prompt).
auth [success=2 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa.users onerr=ignore
# If gate returns SUCCESS => skip next two lines (no TOTP).
auth [success=2 default=ignore] pam_exec.so quiet /usr/local/libexec/ciss_pam_2fa_gate.sh
# For listed users: enforce that the secret file exists, else deny without prompting.
# pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
@@ -943,8 +1067,8 @@ write_pam_sshd() {
# ===== CISS 2FA block ========
# If user is NOT listed -> succeed and SKIP next two lines (silent Keyboard-Interactive (KI) success).
auth [success=2 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa.users onerr=ignore
# If gate returns SUCCESS => skip next two lines (no TOTP).
auth [success=2 default=ignore] pam_exec.so quiet /usr/local/libexec/ciss_pam_2fa_gate.sh
# For listed users: enforce that the secret file exists, else deny without prompting.
# pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
@@ -1064,8 +1188,8 @@ auth sufficient pam_timestamp.so
# ===== CISS 2FA block ========
# If user is NOT listed -> succeed and SKIP next two lines (no TOTP prompt).
auth [success=2 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa.users onerr=ignore
# If gate returns SUCCESS => skip next two lines (no TOTP).
auth [success=2 default=ignore] pam_exec.so quiet /usr/local/libexec/ciss_pam_2fa_gate.sh
# For listed users: enforce that the secret file exists, else deny without prompting.
# pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
@@ -1129,8 +1253,8 @@ auth sufficient pam_timestamp.so
# ===== CISS 2FA block ========
# If user is NOT listed -> succeed and SKIP next two lines (no TOTP prompt).
auth [success=2 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa.users onerr=ignore
# If gate returns SUCCESS => skip next two lines (no TOTP).
auth [success=2 default=ignore] pam_exec.so quiet /usr/local/libexec/ciss_pam_2fa_gate.sh
# For listed users: enforce that the secret file exists, else deny without prompting.
# pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.

65
func/cdi_4900_xtended/4950_final_logrotate.sh Normal file
View File

@@ -0,0 +1,65 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Final update '/etc/logrotate.d/*'.
# Globals:
# RECOVERY
# TARGET
# VAR_RUN_RECOVERY
# Arguments:
# None
# Returns:
# 0: on success
#######################################
final_logrotate() {
### Declare Arrays, HashMaps, and Variables.
declare -ar ary_logrotate=(
"alternatives"
"apt"
"btmp"
"chrony"
"clamav-daemon"
"clamav-freshclam"
"dpkg"
"fail2ban"
"rkhunter"
"rsnapshot"
"ufw"
"unattended-upgrades"
"usbguard"
"wtmp"
)
declare var_file="" var_log=""
declare var_target="${TARGET}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
for var_log in "${ary_logrotate[@]}"; do
var_file="${var_target}/etc/logrotate.d/${var_log}"
[[ -e "${var_file}" ]] || continue
### Replace leading 'monthly'/'weekly' directives with 'daily', preserving indentation and trailing comments.
sed -E -i \
-e 's/^([[:space:]]*)(monthly|weekly)([[:space:]]*)(#.*)?$/\1daily\3\4/' \
-e 's/^([[:space:]]*)rotate([[:space:]]+[0-9]+)?([[:space:]]*)(#.*)?$/\1rotate 128\3\4/' \
"${var_file}"
done
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f final_logrotate
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh