V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_4400_hardening/4430_hardening_files.sh

@@ -15,7 +15,10 @@ guard_sourcing
 #######################################
 # Hardening files and directories.
 # Globals:
-#   None
+#   RECOVERY
+#   TARGET
+#   VAR_RUN_RECOVERY
+#   VAR_SETUP_PATH
 # Arguments:
 #   None
 # Returns:
@@ -23,22 +26,29 @@ guard_sourcing
 #######################################
 hardening_files() {
   declare     var_bin="" var_binary=""
+  declare     var_target="${TARGET}"
 
-  chmod 0700 "${TARGET}/etc/cron.d" "${TARGET}/etc/cron.daily" "${TARGET}/etc/cron.hourly" "${TARGET}/etc/cron.monthly" \
-             "${TARGET}/etc/cron.weekly"
-  chmod 0700 "${TARGET}/etc/sudoers.d"
-  chmod 0700 "${TARGET}/etc/crontab"
+  ### Check for TARGET / RECOVERY.
+  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
 
-  [[ -f "${TARGET}/etc/cron.deny" ]] && rm "${TARGET}/etc/cron.deny"
+  chmod 0700 "${var_target}/etc/cron.d" "${var_target}/etc/cron.daily" "${var_target}/etc/cron.hourly" "${var_target}/etc/cron.monthly" \
+             "${var_target}/etc/cron.weekly"
+  chmod 0700 "${var_target}/etc/sudoers.d"
+  chmod 0700 "${var_target}/etc/crontab"
 
-  rm -f "${TARGET}/etc/issue" "${TARGET}/etc/issue.net"
-  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/issue" "${TARGET}/etc/issue"
-  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/issue.net" "${TARGET}/etc/issue.net"
+  [[ -f "${var_target}/etc/cron.deny" ]] && rm "${var_target}/etc/cron.deny"
 
-  install -d -m 0700 -o root -g root "${TARGET}/root/.ansible"
+  ### /etc/issue ---------------------------------------------------------------------------------------------------------------
+  rm -f "${var_target}/etc/issue" "${var_target}/etc/issue.net"
+  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/issue" "${var_target}/etc/issue"
+  install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/issue.net" "${var_target}/etc/issue.net"
 
+  ### /root/.ansible -----------------------------------------------------------------------------------------------------------
+  install -d -m 0700 -o root -g root "${var_target}/root/.ansible"
+
+  ### /usr/bin/compiler --------------------------------------------------------------------------------------------------------
   for var_bin in as gcc g++ cc clang; do
-    var_binary=$(readlink -f "${TARGET}/usr/bin/${var_bin}") || {
+    var_binary=$(readlink -f "${var_target}/usr/bin/${var_bin}") || {
       do_log "info" "file_only" "4430() Binary: '${var_bin}' not found, skipping."
       continue
     }
@@ -47,6 +57,16 @@ hardening_files() {
     }
   done
 
+  ### /etc/update-motd.d/10-uname ----------------------------------------------------------------------------------------------
+  mkdir -p "${var_target}/root/.ciss/cdi/backup/etc/update-motd.d"
+  cp -af "${var_target}/etc/update-motd.d/10-uname" "${var_target}/root/.ciss/cdi/backup/etc/update-motd.d/10-uname"
+
+  cat << 'EOF' >| "${var_target}/etc/update-motd.d/10-uname"
+#!/bin/sh
+uname -snrm
+EOF
+  chmod 0755 /etc/update-motd.d/10-uname
+
   guard_dir && return 0
 }
 ### Prevents accidental 'unset -f'.