V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_4400_hardening/4420_hardening_fail2ban.sh

@@ -17,12 +17,14 @@ guard_sourcing
 # Globals:
 #   ARY_ALLOW_IPV4
 #   ARY_ALLOW_IPV6
+#   RECOVERY
 #   TARGET
 #   VAR_FINAL_FQDN
 #   VAR_FINAL_IPV4
 #   VAR_FINAL_IPV6
 #   VAR_LINK_IPV6
 #   VAR_PROVIDER
+#   VAR_RUN_RECOVERY
 #   VAR_SSH_PORT
 # Arguments:
 #   None
@@ -32,29 +34,33 @@ guard_sourcing
 hardening_fail2ban() {
   ### Declare Arrays, HashMaps, and Variables.
   declare -r  var_logfile="/root/.ciss/cdi/log/4420_hardening_fail2ban.log"
+  declare     var_target="${TARGET}"
 
-  chroot_logger "${TARGET}${var_logfile}"
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
 
-  mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc/fail2ban/jail.d"
-  cp "${TARGET}/etc/fail2ban/fail2ban.conf" "${TARGET}/root/.ciss/cdi/backup/etc/fail2ban/fail2ban.conf.bak"
-  mv "${TARGET}/etc/fail2ban/jail.d/defaults-debian.conf" "${TARGET}/root/.ciss/cdi/backup/etc/fail2ban/jail.d/defaults-debian.conf.bak"
+  chroot_logger "${var_target}${var_logfile}"
+
+  mkdir -p "${var_target}/root/.ciss/cdi/backup/etc/fail2ban/jail.d"
+  cp "${var_target}/etc/fail2ban/fail2ban.conf" "${var_target}/root/.ciss/cdi/backup/etc/fail2ban/fail2ban.conf.bak"
+  mv "${var_target}/etc/fail2ban/jail.d/defaults-debian.conf" "${var_target}/root/.ciss/cdi/backup/etc/fail2ban/jail.d/defaults-debian.conf.bak"
 
   # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
-  insert_header   "${TARGET}/etc/fail2ban/fail2ban.local"
-  insert_comments "${TARGET}/etc/fail2ban/fail2ban.local"
-  cat << 'EOF' >> "${TARGET}/etc/fail2ban/fail2ban.local"
+  insert_header   "${var_target}/etc/fail2ban/fail2ban.local"
+  insert_comments "${var_target}/etc/fail2ban/fail2ban.local"
+  cat << 'EOF' >> "${var_target}/etc/fail2ban/fail2ban.local"
 [DEFAULT]
 allowipv6 = auto
 
 EOF
 
-  insert_header   "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
-  insert_comments "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
+  insert_header   "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
+  insert_comments "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
 
   if [[ "${#ARY_ALLOW_IPV4[@]}" -gt 0 ]]; then
 
     ### fail2ban ufw aggressive mode, one attempt for jumphost configuration.
-    cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
+    cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
 [DEFAULT]
 usedns    = yes
 ignoreip  = 127.0.0.0/8 ::1
@@ -64,28 +70,37 @@ EOF
 
     if [[ "${VAR_LINK_IPV6}" == "true" ]]; then
 
-      cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
+      cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
   ${VAR_FINAL_IPV6}/64
 EOF
     fi
 
-    cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
+    cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
 # Jumphost
   ${ARY_ALLOW_IPV4[*]}
 EOF
 
     if [[ "${VAR_LINK_IPV6}" == "true" ]]; then
 
-      cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
+      cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
   ${ARY_ALLOW_IPV6[*]}
 EOF
     fi
 
-    cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
+    cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
 maxretry  = 8
 findtime  = 24h
 bantime   = 24h
 
+[recidive]
+enabled   = true
+filter    = recidive
+logpath   = /var/log/fail2ban/fail2ban.log*
+banaction = iptables-allports
+bantime   = 32d
+findtime  = 384d
+maxretry  = 4
+
 [sshd]
 enabled   = true
 backend   = systemd
@@ -112,7 +127,6 @@ logpath   = /var/log/ufw.log
 maxretry  = 1
 findtime  = 24h
 bantime   = 24h
-protocol  = tcp,udp
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
@@ -120,7 +134,7 @@ EOF
   else
 
     ### fail2ban ufw aggressive mode, 32 attempts for NO jumphost configuration.
-    cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
+    cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
 [DEFAULT]
 usedns    = yes
 ignoreip  = 127.0.0.0/8 ::1
@@ -130,16 +144,25 @@ EOF
 
     if [[ "${VAR_LINK_IPV6}" == "true" ]]; then
 
-      cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
+      cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
   ${VAR_FINAL_IPV6}/64
 EOF
     fi
 
-    cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
+    cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
 maxretry  = 8
 findtime  = 24h
 bantime   = 24h
 
+[recidive]
+enabled   = true
+filter    = recidive
+logpath   = /var/log/fail2ban/fail2ban.log*
+banaction = iptables-allports
+bantime   = 32d
+findtime  = 384d
+maxretry  = 4
+
 [sshd]
 enabled   = true
 backend   = systemd
@@ -166,7 +189,6 @@ logpath   = /var/log/ufw.log
 maxretry  = 8
 findtime  = 24h
 bantime   = 24h
-protocol  = tcp,udp
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
@@ -176,16 +198,19 @@ EOF
   ### Provider Hetzner needs special ignoreip rules.
   if [[ "${VAR_PROVIDER}" == "hetzner" ]]; then
 
-    sed -i '0,/^maxretry/{s/^maxretry/# Hetzner Intern\n  172.31.1.1\/16\n&/}' "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf"
+    sed -i '0,/^maxretry/{s/^maxretry/# Hetzner Intern\n  172.31.1.1\/16\n&/}' "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
 
   fi
 
-  insert_header   "${TARGET}/etc/fail2ban/filter.d/ciss.ufw.conf"
-  insert_comments "${TARGET}/etc/fail2ban/filter.d/ciss.ufw.conf"
-  cat << EOF >>   "${TARGET}/etc/fail2ban/filter.d/ciss.ufw.conf"
+  insert_header   "${var_target}/etc/fail2ban/filter.d/ciss.ufw.conf"
+  insert_comments "${var_target}/etc/fail2ban/filter.d/ciss.ufw.conf"
+  cat << EOF >>   "${var_target}/etc/fail2ban/filter.d/ciss.ufw.conf"
+
 [Definition]
-failregex = ^.*UFW BLOCK.* SRC=<HOST> .*DPT=\d+ .*
+failregex = \[UFW BLOCK\].+SRC=<HOST> DST
 ignoreregex =
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 
   # Hardening of fail2ban systemd: https://wiki.archlinux.org/title/fail2ban#Service_hardening
@@ -193,12 +218,12 @@ EOF
   # file. "CAP_NET_ADMIN" and "CAP_NET_RAW" allow fail2ban to operate on any firewall that has a command-line shell interface.
   # By using 'ProtectSystem=strict' the filesystem hierarchy will only be read-only; 'ReadWritePaths' allows Fail2ban to have
   # write access on required paths.
-  mkdir -p "${TARGET}/etc/systemd/system/fail2ban.service.d"
-  mkdir -p "${TARGET}/var/log/fail2ban"
+  mkdir -p "${var_target}/etc/systemd/system/fail2ban.service.d"
+  mkdir -p "${var_target}/var/log/fail2ban"
 
-  insert_header   "${TARGET}/etc/systemd/system/fail2ban.service.d/override.conf"
-  insert_comments "${TARGET}/etc/systemd/system/fail2ban.service.d/override.conf"
-  cat << EOF >>   "${TARGET}/etc/systemd/system/fail2ban.service.d/override.conf"
+  insert_header   "${var_target}/etc/systemd/system/fail2ban.service.d/override.conf"
+  insert_comments "${var_target}/etc/systemd/system/fail2ban.service.d/override.conf"
+  cat << EOF >>   "${var_target}/etc/systemd/system/fail2ban.service.d/override.conf"
 [Service]
 PrivateDevices=yes
 PrivateTmp=yes
@@ -214,29 +239,53 @@ ProtectClock=true
 ProtectHostname=true
 EOF
 
-  cat << 'EOF' >> "${TARGET}/etc/fail2ban/fail2ban.local"
+  cat << 'EOF' >> "${var_target}/etc/fail2ban/fail2ban.local"
 [Definition]
 logtarget = /var/log/fail2ban/fail2ban.log
 
+[Database]
+# Keep entries for at least 384 days to cover recidive findtime.
+dbpurgeage = 384d
+
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 
   ### Logrotate must be updated too.
-  mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc/logrotate.d"
-  cp "${TARGET}/etc/logrotate.d/fail2ban" "${TARGET}/root/.ciss/cdi/backup/etc/logrotate.d/fail2ban.bak"
-  sed -i 's/\/var\/log\/fail2ban.log/\/var\/log\/fail2ban\/fail2ban.log/1' "${TARGET}/etc/logrotate.d/fail2ban"
-  touch "${TARGET}/var/log/fail2ban/fail2ban.log"
-  chmod 640 "${TARGET}/var/log/fail2ban/fail2ban.log"
+  mkdir -p "${var_target}/root/.ciss/cdi/backup/etc/logrotate.d"
+  cp "${var_target}/etc/logrotate.d/fail2ban" "${var_target}/root/.ciss/cdi/backup/etc/logrotate.d/fail2ban.bak"
+  cat << EOF >| "${var_target}/etc/logrotate.d/fail2ban"
+/var/log/fail2ban/fail2ban.log {
 
-  if [[ ! -f "${TARGET}/var/log/ufw.log" ]]; then
-    install -d -m 0755 "${TARGET}/var/log"
-    : >| "${TARGET}/var/log/ufw.log"
-    chmod 0640 "${TARGET}/var/log/ufw.log"
+    daily
+    rotate 384
+    compress
+    # Do not rotate if empty
+    notifempty
+
+    delaycompress
+    missingok
+    postrotate
+        fail2ban-client flushlogs 1>/dev/null
+    endscript
+
+    # If fail2ban runs as non-root it still needs to have write access
+    # to logfiles.
+    # create 640 fail2ban adm
+    create 640 root adm
+}
+EOF
+  touch "${var_target}/var/log/fail2ban/fail2ban.log"
+  chmod 0640 "${var_target}/var/log/fail2ban/fail2ban.log"
+
+  if [[ ! -f "${var_target}/var/log/ufw.log" ]]; then
+    install -d -m 0755 "${var_target}/var/log"
+    : >| "${var_target}/var/log/ufw.log"
+    chmod 0640 "${var_target}/var/log/ufw.log"
   fi
 
   ### Merge / Dump-Parse via 'fail2ban-client -d'. All '*.conf', '*.local', and 'jail.*'-files are read, inherited, and merged.
   ### Syntax, path, and key errors result in a non-zero exit.
-  chroot_script "${TARGET}" "
+  chroot_script "${var_target}" "
     fail2ban-client -d >> ${var_logfile} && echo "OK: config parsed" >> ${var_logfile} || echo "ERROR: config invalid" >> ${var_logfile}
   "
 

func/cdi_4400_hardening/4430_hardening_files.sh

@@ -15,7 +15,10 @@ guard_sourcing
 #######################################
 # Hardening files and directories.
 # Globals:
-#   None
+#   RECOVERY
+#   TARGET
+#   VAR_RUN_RECOVERY
+#   VAR_SETUP_PATH
 # Arguments:
 #   None
 # Returns:
@@ -23,22 +26,29 @@ guard_sourcing
 #######################################
 hardening_files() {
   declare     var_bin="" var_binary=""
+  declare     var_target="${TARGET}"
 
-  chmod 0700 "${TARGET}/etc/cron.d" "${TARGET}/etc/cron.daily" "${TARGET}/etc/cron.hourly" "${TARGET}/etc/cron.monthly" \
-             "${TARGET}/etc/cron.weekly"
-  chmod 0700 "${TARGET}/etc/sudoers.d"
-  chmod 0700 "${TARGET}/etc/crontab"
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
 
-  [[ -f "${TARGET}/etc/cron.deny" ]] && rm "${TARGET}/etc/cron.deny"
+  chmod 0700 "${var_target}/etc/cron.d" "${var_target}/etc/cron.daily" "${var_target}/etc/cron.hourly" "${var_target}/etc/cron.monthly" \
+             "${var_target}/etc/cron.weekly"
+  chmod 0700 "${var_target}/etc/sudoers.d"
+  chmod 0700 "${var_target}/etc/crontab"
 
-  rm -f "${TARGET}/etc/issue" "${TARGET}/etc/issue.net"
-  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/issue" "${TARGET}/etc/issue"
-  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/issue.net" "${TARGET}/etc/issue.net"
+  [[ -f "${var_target}/etc/cron.deny" ]] && rm "${var_target}/etc/cron.deny"
 
-  install -d -m 0700 -o root -g root "${TARGET}/root/.ansible"
+  ### /etc/issue ---------------------------------------------------------------------------------------------------------------
+  rm -f "${var_target}/etc/issue" "${var_target}/etc/issue.net"
+  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/issue" "${var_target}/etc/issue"
+  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/issue.net" "${var_target}/etc/issue.net"
 
+  ### /root/.ansible -----------------------------------------------------------------------------------------------------------
+  install -d -m 0700 -o root -g root "${var_target}/root/.ansible"
+
+  ### /usr/bin/compiler --------------------------------------------------------------------------------------------------------
   for var_bin in as gcc g++ cc clang; do
-    var_binary=$(readlink -f "${TARGET}/usr/bin/${var_bin}") || {
+    var_binary=$(readlink -f "${var_target}/usr/bin/${var_bin}") || {
       do_log "info" "file_only" "4430() Binary: '${var_bin}' not found, skipping."
       continue
     }
@@ -47,6 +57,16 @@ hardening_files() {
     }
   done
 
+  ### /etc/update-motd.d/10-uname ----------------------------------------------------------------------------------------------
+  mkdir -p "${var_target}/root/.ciss/cdi/backup/etc/update-motd.d"
+  cp -af "${var_target}/etc/update-motd.d/10-uname" "${var_target}/root/.ciss/cdi/backup/etc/update-motd.d/10-uname"
+
+  cat << 'EOF' >| "${var_target}/etc/update-motd.d/10-uname"
+#!/bin/sh
+uname -snrm
+EOF
+  chmod 0755 /etc/update-motd.d/10-uname
+
   guard_dir && return 0
 }
 ### Prevents accidental 'unset -f'.

func/cdi_4400_hardening/4445_hardening_logrotate.sh

@@ -13,9 +13,11 @@
 guard_sourcing
 
 #######################################
-# Hardening logrotate.
+# Hardening '/etc/logrotate'.
 # Globals:
+#   RECOVERY
 #   TARGET
+#   VAR_RUN_RECOVERY
 # Arguments:
 #   None
 # Returns:
@@ -23,8 +25,6 @@ guard_sourcing
 #######################################
 hardening_logrotate() {
   ### Declare Arrays, HashMaps, and Variables.
-  declare -ar ary_logrotate=( "alternatives" "apt" "btmp" "chrony" "dpkg" "fail2ban" "rkhunter" "ufw" "unattended-upgrades" "usbguard")
-  declare     var_file="" var_log=""
   declare     var_target="${TARGET}"
 
   ### Check for TARGET / RECOVERY.
@@ -39,8 +39,8 @@ hardening_logrotate() {
 # rotate log files daily
 daily
 
-# keep 128 daily worth of backlogs
-rotate 128
+# keep 384 daily worth of backlogs
+rotate 384
 
 # hard cap: delete rotated logs older than 384 days
 maxage 384
@@ -65,16 +65,6 @@ include /etc/logrotate.d
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 
-  for var_log in "${ary_logrotate[@]}"; do
-    var_file="${var_target}/etc/logrotate.d/${var_log}"
-    [[ -e "${var_file}" ]] || continue
-    ### Replace leading 'monthly'/'weekly' directives with 'daily', preserving indentation and trailing comments.
-    sed -E -i \
-      -e 's/^([[:space:]]*)(monthly|weekly)([[:space:]]*)(#.*)?$/\1daily\3\4/' \
-      -e 's/^([[:space:]]*)rotate([[:space:]]+[0-9]+)?([[:space:]]*)(#.*)?$/\1rotate 128\3\4/' \
-      "${var_file}"
-  done
-
   guard_dir && return 0
 }
 ### Prevents accidental 'unset -f'.

func/cdi_4400_hardening/4470_hardening_ufw.sh

@@ -15,7 +15,10 @@ guard_sourcing
 #######################################
 # Hardening 'ufw'.
 # Globals:
+#   RECOVERY
 #   TARGET
+#   VAR_FINAL_NIC
+#   VAR_RUN_RECOVERY
 #   VAR_SSH_PORT
 #   VAR_UFW_OUT
 # Arguments:
@@ -26,16 +29,22 @@ guard_sourcing
 hardening_ufw() {
   ### Declare Arrays, HashMaps, and Variables.
   declare -r  var_logfile="/root/.ciss/cdi/log/4470_hardening_ufw.log"
-  declare -r  var_rules="${TARGET}/etc/ufw/before6.rules"
+  declare     var_target="${TARGET}"
 
-  chroot_logger "${TARGET}${var_logfile}"
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
 
-  if [[ ! -f "${TARGET}/var/log/ufw.log" ]]; then
-    touch "${TARGET}/var/log/ufw.log"
-    chmod 0640 "${TARGET}/var/log/ufw.log"
+  declare -r  var_rules="${var_target}/etc/ufw/before6.rules"
+
+
+  chroot_logger "${var_target}${var_logfile}"
+
+  if [[ ! -f "${var_target}/var/log/ufw.log" ]]; then
+    touch "${var_target}/var/log/ufw.log"
+    chmod 0640 "${var_target}/var/log/ufw.log"
   fi
 
-  chroot_script "${TARGET}" "
+  chroot_script "${var_target}" "
     ufw --force reset
     ufw logging medium
     ufw default deny incoming
@@ -48,7 +57,7 @@ hardening_ufw() {
   ### Ensure that a standard set of the most commonly used ports are open if a default-'deny'-outbound policy is selected.
   if [[ "${VAR_UFW_OUT}" = "deny" ]]; then
 
-    chroot_script "${TARGET}" "
+    chroot_script "${var_target}" "
       ufw allow out   21/tcp comment 'Outgoing FTP'
       ufw allow out   22/tcp comment 'Outgoing SSH'
       ufw allow out   25/tcp comment 'Outgoing SMTP'
@@ -71,12 +80,11 @@ hardening_ufw() {
   fi
 
   ### Allowing ICMP IPv4 outgoing per default.
-  sed -i "/# ok icmp code for FORWARD/i \# ok icmp codes for OUTPUT" "${TARGET}/etc/ufw/before.rules"
-  sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type destination-unreachable -j ACCEPT" "${TARGET}/etc/ufw/before.rules"
-  sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type time-exceeded -j ACCEPT" "${TARGET}/etc/ufw/before.rules"
-  sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type parameter-problem -j ACCEPT" "${TARGET}/etc/ufw/before.rules"
-  sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type echo-request -j ACCEPT" "${TARGET}/etc/ufw/before.rules"
-
+  sed -i "/# ok icmp code for FORWARD/i \# ok icmp codes for OUTPUT" "${var_target}/etc/ufw/before.rules"
+  sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type destination-unreachable -j ACCEPT" "${var_target}/etc/ufw/before.rules"
+  sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type time-exceeded -j ACCEPT" "${var_target}/etc/ufw/before.rules"
+  sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type parameter-problem -j ACCEPT" "${var_target}/etc/ufw/before.rules"
+  sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type echo-request -j ACCEPT" "${var_target}/etc/ufw/before.rules"
 
   ### Remove previous custom blocks (idempotent).
   sed -i "/^# BEGIN custom MLD rules/,/^# END custom MLD rules/d" "${var_rules}"
@@ -90,10 +98,9 @@ hardening_ufw() {
   ### Useful if local daemons join multicast groups, and you want clean logs.
   sed -i "/-A ufw6-before-output .*--icmpv6-type echo-request -j ACCEPT/i # BEGIN custom MLD OUTPUT rules\n-A ufw6-before-output -o ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 131 -d ff02::/16 -j ACCEPT\n-A ufw6-before-output -o ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 143 -d ff02::/16 -j ACCEPT\n# END custom MLD OUTPUT rules" "${var_rules}"
 
+  chroot_script "${var_target}" "echo 'y' | ufw enable 2>&1"
 
-  chroot_script "${TARGET}" "echo 'y' | ufw enable 2>&1"
-
-  chroot_script "${TARGET}" "ufw status verbose >> ${var_logfile}"
+  chroot_script "${var_target}" "ufw status verbose >> ${var_logfile}"
 
   guard_dir && return 0
 }