msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m44s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-10-19 09:06:27 +01:00
parent f7493e37e1
commit 0169be5527
14 changed files with 527 additions and 115 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
.preseed/preseed.yaml
View File

@@ -84,7 +84,7 @@ debootstrap: # Provide a mirror for downloading the Debian pac
# list of official Debian packages. # list of official Debian packages.
mirror: "https://deb.debian.org/debian" mirror: "https://deb.debian.org/debian"
# The following packages MUST be included in the debootstrap. # The following packages MUST be included in the debootstrap.
includes: "busybox,ca-certificates,git,locales,openssl,python3,python3-apt,systemd-cryptsetup,zstd" includes: "busybox,ca-certificates,git,libpam-systemd,locales,openssl,python3,python3-apt,systemd-cryptsetup,zstd"
distribution: "trixie" # MUST be "trixie". distribution: "trixie" # MUST be "trixie".
debian_suite: "stable" # MUST be "stable". Not supported yet: "testing", "experimental". debian_suite: "stable" # MUST be "stable". Not supported yet: "testing", "experimental".
exit: exit:
@@ -855,7 +855,7 @@ user:
tty: true # Allow TTY (local console) login. tty: true # Allow TTY (local console) login.
password: true # Allow password login. SSH password login is always disabled. password: true # Allow password login. SSH password login is always disabled.
2fa: 2fa:
ssh: false # Require 2FA for SSH access. MUST be either 'true' or 'false' for both ssh and tty. ssh: false # Require 2FA for SSH access.
tty: false # Require 2FA for TTY (local console) login. tty: false # Require 2FA for TTY (local console) login.
privileges: privileges:
description: "Root user with full system access and administrative privileges." description: "Root user with full system access and administrative privileges."
@@ -872,7 +872,7 @@ user:
user0: user0:
ensure: present # Must always be 'present'. (Not in use in this version of the installer.) ensure: present # Must always be 'present'. (Not in use in this version of the installer.)
protected: true # Prevent unintentional edits or deletions. (Not in use in this version of the installer.) protected: true # Prevent unintentional edits or deletions. (Not in use in this version of the installer.)
name: "msw" # The name of the user account. name: "msw" # The name of the user account. No ":" allowed.
fullname: "msw" # The full name of the user account holder. fullname: "msw" # The full name of the user account holder.
uid: 1000 # Ensures that the same user has the same UID on all systems. uid: 1000 # Ensures that the same user has the same UID on all systems.
gid: 1000 # Ensures that the same user has the same GID on all systems. gid: 1000 # Ensures that the same user has the same GID on all systems.
@@ -885,7 +885,7 @@ user:
tty: true # Allow TTY (local console) login. tty: true # Allow TTY (local console) login.
password: true # Allow password login. SSH password login is always disabled. password: true # Allow password login. SSH password login is always disabled.
2fa: 2fa:
ssh: false # Require 2FA for SSH access. MUST be either 'true' or 'false' for both ssh and tty. ssh: false # Require 2FA for SSH access.
tty: false # Require 2FA for TTY (local console) login. tty: false # Require 2FA for TTY (local console) login.
privileges: privileges:
description: "Primary admin user with full sudo access and interactive login." description: "Primary admin user with full sudo access and interactive login."
@@ -902,7 +902,7 @@ user:
user1: user1:
ensure: present # "present" = create user; "absent" = remove user ensure: present # "present" = create user; "absent" = remove user
protected: true # Prevent unintentional edits or deletions. protected: true # Prevent unintentional edits or deletions.
name: "ansible" # The name of the user account. name: "ansible" # The name of the user account. No ":" allowed.
fullname: "ansible" # The full name of the user account holder. fullname: "ansible" # The full name of the user account holder.
uid: 137 # Ensures that the same user has the same UID on all systems. uid: 137 # Ensures that the same user has the same UID on all systems.
gid: 137 # Ensures that the same user has the same GID on all systems. gid: 137 # Ensures that the same user has the same GID on all systems.
@@ -915,7 +915,7 @@ user:
tty: false # Allow TTY (local console) login. tty: false # Allow TTY (local console) login.
password: false # Allow password login. SSH password login is always disabled. password: false # Allow password login. SSH password login is always disabled.
2fa: 2fa:
ssh: false # Require 2FA for SSH access. MUST be either 'true' or 'false' for both ssh and tty. ssh: false # Require 2FA for SSH access.
tty: false # Require 2FA for TTY (local console) login. tty: false # Require 2FA for TTY (local console) login.
privileges: privileges:
description: "Ansible automation user with sudo, key-only SSH, no TTY." description: "Ansible automation user with sudo, key-only SSH, no TTY."

3
ciss_debian_installer.sh
View File

@@ -435,6 +435,9 @@ auditing_packages
info_echo "4900_final_command.sh [${TARGET}]" info_echo "4900_final_command.sh [${TARGET}]"
final_commands final_commands
info_echo "4950_final_logrotate.sh [${TARGET}]"
final_logrotate
info_echo "4999_exiting_chroot_system.sh [${TARGET}]" info_echo "4999_exiting_chroot_system.sh [${TARGET}]"
exiting_chroot_system exiting_chroot_system

129
func/cdi_4400_hardening/4420_hardening_fail2ban.sh
View File

@@ -17,12 +17,14 @@ guard_sourcing
# Globals: # Globals:
# ARY_ALLOW_IPV4 # ARY_ALLOW_IPV4
# ARY_ALLOW_IPV6 # ARY_ALLOW_IPV6
# RECOVERY
# TARGET # TARGET
# VAR_FINAL_FQDN # VAR_FINAL_FQDN
# VAR_FINAL_IPV4 # VAR_FINAL_IPV4
# VAR_FINAL_IPV6 # VAR_FINAL_IPV6
# VAR_LINK_IPV6 # VAR_LINK_IPV6
# VAR_PROVIDER # VAR_PROVIDER
# VAR_RUN_RECOVERY
# VAR_SSH_PORT # VAR_SSH_PORT
# Arguments: # Arguments:
# None # None
@@ -32,29 +34,33 @@ guard_sourcing
hardening_fail2ban() { hardening_fail2ban() {
### Declare Arrays, HashMaps, and Variables. ### Declare Arrays, HashMaps, and Variables.
declare -r var_logfile="/root/.ciss/cdi/log/4420_hardening_fail2ban.log" declare -r var_logfile="/root/.ciss/cdi/log/4420_hardening_fail2ban.log"
declare var_target="${TARGET}"
chroot_logger "${TARGET}${var_logfile}" ### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc/fail2ban/jail.d" chroot_logger "${var_target}${var_logfile}"
cp "${TARGET}/etc/fail2ban/fail2ban.conf" "${TARGET}/root/.ciss/cdi/backup/etc/fail2ban/fail2ban.conf.bak"
mv "${TARGET}/etc/fail2ban/jail.d/defaults-debian.conf" "${TARGET}/root/.ciss/cdi/backup/etc/fail2ban/jail.d/defaults-debian.conf.bak" mkdir -p "${var_target}/root/.ciss/cdi/backup/etc/fail2ban/jail.d"
cp "${var_target}/etc/fail2ban/fail2ban.conf" "${var_target}/root/.ciss/cdi/backup/etc/fail2ban/fail2ban.conf.bak"
mv "${var_target}/etc/fail2ban/jail.d/defaults-debian.conf" "${var_target}/root/.ciss/cdi/backup/etc/fail2ban/jail.d/defaults-debian.conf.bak"
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
insert_header "${TARGET}/etc/fail2ban/fail2ban.local" insert_header "${var_target}/etc/fail2ban/fail2ban.local"
insert_comments "${TARGET}/etc/fail2ban/fail2ban.local" insert_comments "${var_target}/etc/fail2ban/fail2ban.local"
cat << 'EOF' >> "${TARGET}/etc/fail2ban/fail2ban.local" cat << 'EOF' >> "${var_target}/etc/fail2ban/fail2ban.local"
[DEFAULT] [DEFAULT]
allowipv6 = auto allowipv6 = auto
EOF EOF
insert_header "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf" insert_header "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
insert_comments "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf" insert_comments "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
if [[ "${#ARY_ALLOW_IPV4[@]}" -gt 0 ]]; then if [[ "${#ARY_ALLOW_IPV4[@]}" -gt 0 ]]; then
### fail2ban ufw aggressive mode, one attempt for jumphost configuration. ### fail2ban ufw aggressive mode, one attempt for jumphost configuration.
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf" cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
[DEFAULT] [DEFAULT]
usedns = yes usedns = yes
ignoreip = 127.0.0.0/8 ::1 ignoreip = 127.0.0.0/8 ::1
@@ -64,28 +70,37 @@ EOF
if [[ "${VAR_LINK_IPV6}" == "true" ]]; then if [[ "${VAR_LINK_IPV6}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf" cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
${VAR_FINAL_IPV6}/64 ${VAR_FINAL_IPV6}/64
EOF EOF
fi fi
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf" cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
# Jumphost # Jumphost
${ARY_ALLOW_IPV4[*]} ${ARY_ALLOW_IPV4[*]}
EOF EOF
if [[ "${VAR_LINK_IPV6}" == "true" ]]; then if [[ "${VAR_LINK_IPV6}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf" cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
${ARY_ALLOW_IPV6[*]} ${ARY_ALLOW_IPV6[*]}
EOF EOF
fi fi
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf" cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
maxretry = 8 maxretry = 8
findtime = 24h findtime = 24h
bantime = 24h bantime = 24h
[recidive]
enabled = true
filter = recidive
logpath = /var/log/fail2ban/fail2ban.log*
banaction = iptables-allports
bantime = 32d
findtime = 384d
maxretry = 4
[sshd] [sshd]
enabled = true enabled = true
backend = systemd backend = systemd
@@ -112,7 +127,6 @@ logpath = /var/log/ufw.log
maxretry = 1 maxretry = 1
findtime = 24h findtime = 24h
bantime = 24h bantime = 24h
protocol = tcp,udp
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF EOF
@@ -120,7 +134,7 @@ EOF
else else
### fail2ban ufw aggressive mode, 32 attempts for NO jumphost configuration. ### fail2ban ufw aggressive mode, 32 attempts for NO jumphost configuration.
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf" cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
[DEFAULT] [DEFAULT]
usedns = yes usedns = yes
ignoreip = 127.0.0.0/8 ::1 ignoreip = 127.0.0.0/8 ::1
@@ -130,16 +144,25 @@ EOF
if [[ "${VAR_LINK_IPV6}" == "true" ]]; then if [[ "${VAR_LINK_IPV6}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf" cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
${VAR_FINAL_IPV6}/64 ${VAR_FINAL_IPV6}/64
EOF EOF
fi fi
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf" cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
maxretry = 8 maxretry = 8
findtime = 24h findtime = 24h
bantime = 24h bantime = 24h
[recidive]
enabled = true
filter = recidive
logpath = /var/log/fail2ban/fail2ban.log*
banaction = iptables-allports
bantime = 32d
findtime = 384d
maxretry = 4
[sshd] [sshd]
enabled = true enabled = true
backend = systemd backend = systemd
@@ -166,7 +189,6 @@ logpath = /var/log/ufw.log
maxretry = 8 maxretry = 8
findtime = 24h findtime = 24h
bantime = 24h bantime = 24h
protocol = tcp,udp
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF EOF
@@ -176,16 +198,19 @@ EOF
### Provider Hetzner needs special ignoreip rules. ### Provider Hetzner needs special ignoreip rules.
if [[ "${VAR_PROVIDER}" == "hetzner" ]]; then if [[ "${VAR_PROVIDER}" == "hetzner" ]]; then
sed -i '0,/^maxretry/{s/^maxretry/# Hetzner Intern\n 172.31.1.1\/16\n&/}' "${TARGET}/etc/fail2ban/jail.d/ciss-default.conf" sed -i '0,/^maxretry/{s/^maxretry/# Hetzner Intern\n 172.31.1.1\/16\n&/}' "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
fi fi
insert_header "${TARGET}/etc/fail2ban/filter.d/ciss.ufw.conf" insert_header "${var_target}/etc/fail2ban/filter.d/ciss.ufw.conf"
insert_comments "${TARGET}/etc/fail2ban/filter.d/ciss.ufw.conf" insert_comments "${var_target}/etc/fail2ban/filter.d/ciss.ufw.conf"
cat << EOF >> "${TARGET}/etc/fail2ban/filter.d/ciss.ufw.conf" cat << EOF >> "${var_target}/etc/fail2ban/filter.d/ciss.ufw.conf"
[Definition] [Definition]
failregex = ^.*UFW BLOCK.* SRC=<HOST> .*DPT=\d+ .* failregex = \[UFW BLOCK\].+SRC=<HOST> DST
ignoreregex = ignoreregex =
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF EOF
# Hardening of fail2ban systemd: https://wiki.archlinux.org/title/fail2ban#Service_hardening # Hardening of fail2ban systemd: https://wiki.archlinux.org/title/fail2ban#Service_hardening
@@ -193,12 +218,12 @@ EOF
# file. "CAP_NET_ADMIN" and "CAP_NET_RAW" allow fail2ban to operate on any firewall that has a command-line shell interface. # file. "CAP_NET_ADMIN" and "CAP_NET_RAW" allow fail2ban to operate on any firewall that has a command-line shell interface.
# By using 'ProtectSystem=strict' the filesystem hierarchy will only be read-only; 'ReadWritePaths' allows Fail2ban to have # By using 'ProtectSystem=strict' the filesystem hierarchy will only be read-only; 'ReadWritePaths' allows Fail2ban to have
# write access on required paths. # write access on required paths.
mkdir -p "${TARGET}/etc/systemd/system/fail2ban.service.d" mkdir -p "${var_target}/etc/systemd/system/fail2ban.service.d"
mkdir -p "${TARGET}/var/log/fail2ban" mkdir -p "${var_target}/var/log/fail2ban"
insert_header "${TARGET}/etc/systemd/system/fail2ban.service.d/override.conf" insert_header "${var_target}/etc/systemd/system/fail2ban.service.d/override.conf"
insert_comments "${TARGET}/etc/systemd/system/fail2ban.service.d/override.conf" insert_comments "${var_target}/etc/systemd/system/fail2ban.service.d/override.conf"
cat << EOF >> "${TARGET}/etc/systemd/system/fail2ban.service.d/override.conf" cat << EOF >> "${var_target}/etc/systemd/system/fail2ban.service.d/override.conf"
[Service] [Service]
PrivateDevices=yes PrivateDevices=yes
PrivateTmp=yes PrivateTmp=yes
@@ -214,29 +239,53 @@ ProtectClock=true
ProtectHostname=true ProtectHostname=true
EOF EOF
cat << 'EOF' >> "${TARGET}/etc/fail2ban/fail2ban.local" cat << 'EOF' >> "${var_target}/etc/fail2ban/fail2ban.local"
[Definition] [Definition]
logtarget = /var/log/fail2ban/fail2ban.log logtarget = /var/log/fail2ban/fail2ban.log
[Database]
# Keep entries for at least 384 days to cover recidive findtime.
dbpurgeage = 384d
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF EOF
### Logrotate must be updated too. ### Logrotate must be updated too.
mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc/logrotate.d" mkdir -p "${var_target}/root/.ciss/cdi/backup/etc/logrotate.d"
cp "${TARGET}/etc/logrotate.d/fail2ban" "${TARGET}/root/.ciss/cdi/backup/etc/logrotate.d/fail2ban.bak" cp "${var_target}/etc/logrotate.d/fail2ban" "${var_target}/root/.ciss/cdi/backup/etc/logrotate.d/fail2ban.bak"
sed -i 's/\/var\/log\/fail2ban.log/\/var\/log\/fail2ban\/fail2ban.log/1' "${TARGET}/etc/logrotate.d/fail2ban" cat << EOF >| "${var_target}/etc/logrotate.d/fail2ban"
touch "${TARGET}/var/log/fail2ban/fail2ban.log" /var/log/fail2ban/fail2ban.log {
chmod 640 "${TARGET}/var/log/fail2ban/fail2ban.log"
if [[ ! -f "${TARGET}/var/log/ufw.log" ]]; then daily
install -d -m 0755 "${TARGET}/var/log" rotate 384
: >| "${TARGET}/var/log/ufw.log" compress
chmod 0640 "${TARGET}/var/log/ufw.log" # Do not rotate if empty
notifempty
delaycompress
missingok
postrotate
fail2ban-client flushlogs 1>/dev/null
endscript
# If fail2ban runs as non-root it still needs to have write access
# to logfiles.
# create 640 fail2ban adm
create 640 root adm
}
EOF
touch "${var_target}/var/log/fail2ban/fail2ban.log"
chmod 0640 "${var_target}/var/log/fail2ban/fail2ban.log"
if [[ ! -f "${var_target}/var/log/ufw.log" ]]; then
install -d -m 0755 "${var_target}/var/log"
: >| "${var_target}/var/log/ufw.log"
chmod 0640 "${var_target}/var/log/ufw.log"
fi fi
### Merge / Dump-Parse via 'fail2ban-client -d'. All '*.conf', '*.local', and 'jail.*'-files are read, inherited, and merged. ### Merge / Dump-Parse via 'fail2ban-client -d'. All '*.conf', '*.local', and 'jail.*'-files are read, inherited, and merged.
### Syntax, path, and key errors result in a non-zero exit. ### Syntax, path, and key errors result in a non-zero exit.
chroot_script "${TARGET}" " chroot_script "${var_target}" "
fail2ban-client -d >> ${var_logfile} && echo "OK: config parsed" >> ${var_logfile} || echo "ERROR: config invalid" >> ${var_logfile} fail2ban-client -d >> ${var_logfile} && echo "OK: config parsed" >> ${var_logfile} || echo "ERROR: config invalid" >> ${var_logfile}
" "

42
func/cdi_4400_hardening/4430_hardening_files.sh
View File

@@ -15,7 +15,10 @@ guard_sourcing
####################################### #######################################
# Hardening files and directories. # Hardening files and directories.
# Globals: # Globals:
# None # RECOVERY
# TARGET
# VAR_RUN_RECOVERY
# VAR_SETUP_PATH
# Arguments: # Arguments:
# None # None
# Returns: # Returns:
@@ -23,22 +26,29 @@ guard_sourcing
####################################### #######################################
hardening_files() { hardening_files() {
declare var_bin="" var_binary="" declare var_bin="" var_binary=""
declare var_target="${TARGET}"
chmod 0700 "${TARGET}/etc/cron.d" "${TARGET}/etc/cron.daily" "${TARGET}/etc/cron.hourly" "${TARGET}/etc/cron.monthly" \ ### Check for TARGET / RECOVERY.
"${TARGET}/etc/cron.weekly" [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
chmod 0700 "${TARGET}/etc/sudoers.d"
chmod 0700 "${TARGET}/etc/crontab"
[[ -f "${TARGET}/etc/cron.deny" ]] && rm "${TARGET}/etc/cron.deny" chmod 0700 "${var_target}/etc/cron.d" "${var_target}/etc/cron.daily" "${var_target}/etc/cron.hourly" "${var_target}/etc/cron.monthly" \
"${var_target}/etc/cron.weekly"
chmod 0700 "${var_target}/etc/sudoers.d"
chmod 0700 "${var_target}/etc/crontab"
rm -f "${TARGET}/etc/issue" "${TARGET}/etc/issue.net" [[ -f "${var_target}/etc/cron.deny" ]] && rm "${var_target}/etc/cron.deny"
install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/issue" "${TARGET}/etc/issue"
install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/issue.net" "${TARGET}/etc/issue.net"
install -d -m 0700 -o root -g root "${TARGET}/root/.ansible" ### /etc/issue ---------------------------------------------------------------------------------------------------------------
rm -f "${var_target}/etc/issue" "${var_target}/etc/issue.net"
install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/issue" "${var_target}/etc/issue"
install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/issue.net" "${var_target}/etc/issue.net"
### /root/.ansible -----------------------------------------------------------------------------------------------------------
install -d -m 0700 -o root -g root "${var_target}/root/.ansible"
### /usr/bin/compiler --------------------------------------------------------------------------------------------------------
for var_bin in as gcc g++ cc clang; do for var_bin in as gcc g++ cc clang; do
var_binary=$(readlink -f "${TARGET}/usr/bin/${var_bin}") || { var_binary=$(readlink -f "${var_target}/usr/bin/${var_bin}") || {
do_log "info" "file_only" "4430() Binary: '${var_bin}' not found, skipping." do_log "info" "file_only" "4430() Binary: '${var_bin}' not found, skipping."
continue continue
} }
@@ -47,6 +57,16 @@ hardening_files() {
} }
done done
### /etc/update-motd.d/10-uname ----------------------------------------------------------------------------------------------
mkdir -p "${var_target}/root/.ciss/cdi/backup/etc/update-motd.d"
cp -af "${var_target}/etc/update-motd.d/10-uname" "${var_target}/root/.ciss/cdi/backup/etc/update-motd.d/10-uname"
cat << 'EOF' >| "${var_target}/etc/update-motd.d/10-uname"
#!/bin/sh
uname -snrm
EOF
chmod 0755 /etc/update-motd.d/10-uname
guard_dir && return 0 guard_dir && return 0
} }
### Prevents accidental 'unset -f'. ### Prevents accidental 'unset -f'.

20
func/cdi_4400_hardening/4445_hardening_logrotate.sh
View File

@@ -13,9 +13,11 @@
guard_sourcing guard_sourcing
####################################### #######################################
# Hardening logrotate. # Hardening '/etc/logrotate'.
# Globals: # Globals:
# RECOVERY
# TARGET # TARGET
# VAR_RUN_RECOVERY
# Arguments: # Arguments:
# None # None
# Returns: # Returns:
@@ -23,8 +25,6 @@ guard_sourcing
####################################### #######################################
hardening_logrotate() { hardening_logrotate() {
### Declare Arrays, HashMaps, and Variables. ### Declare Arrays, HashMaps, and Variables.
declare -ar ary_logrotate=( "alternatives" "apt" "btmp" "chrony" "dpkg" "fail2ban" "rkhunter" "ufw" "unattended-upgrades" "usbguard")
declare var_file="" var_log=""
declare var_target="${TARGET}" declare var_target="${TARGET}"
### Check for TARGET / RECOVERY. ### Check for TARGET / RECOVERY.
@@ -39,8 +39,8 @@ hardening_logrotate() {
# rotate log files daily # rotate log files daily
daily daily
# keep 128 daily worth of backlogs # keep 384 daily worth of backlogs
rotate 128 rotate 384
# hard cap: delete rotated logs older than 384 days # hard cap: delete rotated logs older than 384 days
maxage 384 maxage 384
@@ -65,16 +65,6 @@ include /etc/logrotate.d
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF EOF
for var_log in "${ary_logrotate[@]}"; do
var_file="${var_target}/etc/logrotate.d/${var_log}"
[[ -e "${var_file}" ]] || continue
### Replace leading 'monthly'/'weekly' directives with 'daily', preserving indentation and trailing comments.
sed -E -i \
-e 's/^([[:space:]]*)(monthly|weekly)([[:space:]]*)(#.*)?$/\1daily\3\4/' \
-e 's/^([[:space:]]*)rotate([[:space:]]+[0-9]+)?([[:space:]]*)(#.*)?$/\1rotate 128\3\4/' \
"${var_file}"
done
guard_dir && return 0 guard_dir && return 0
} }
### Prevents accidental 'unset -f'. ### Prevents accidental 'unset -f'.

39
func/cdi_4400_hardening/4470_hardening_ufw.sh
View File

@@ -15,7 +15,10 @@ guard_sourcing
####################################### #######################################
# Hardening 'ufw'. # Hardening 'ufw'.
# Globals: # Globals:
# RECOVERY
# TARGET # TARGET
# VAR_FINAL_NIC
# VAR_RUN_RECOVERY
# VAR_SSH_PORT # VAR_SSH_PORT
# VAR_UFW_OUT # VAR_UFW_OUT
# Arguments: # Arguments:
@@ -26,16 +29,22 @@ guard_sourcing
hardening_ufw() { hardening_ufw() {
### Declare Arrays, HashMaps, and Variables. ### Declare Arrays, HashMaps, and Variables.
declare -r var_logfile="/root/.ciss/cdi/log/4470_hardening_ufw.log" declare -r var_logfile="/root/.ciss/cdi/log/4470_hardening_ufw.log"
declare -r var_rules="${TARGET}/etc/ufw/before6.rules" declare var_target="${TARGET}"
chroot_logger "${TARGET}${var_logfile}" ### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
if [[ ! -f "${TARGET}/var/log/ufw.log" ]]; then declare -r var_rules="${var_target}/etc/ufw/before6.rules"
touch "${TARGET}/var/log/ufw.log"
chmod 0640 "${TARGET}/var/log/ufw.log"
chroot_logger "${var_target}${var_logfile}"
if [[ ! -f "${var_target}/var/log/ufw.log" ]]; then
touch "${var_target}/var/log/ufw.log"
chmod 0640 "${var_target}/var/log/ufw.log"
fi fi
chroot_script "${TARGET}" " chroot_script "${var_target}" "
ufw --force reset ufw --force reset
ufw logging medium ufw logging medium
ufw default deny incoming ufw default deny incoming
@@ -48,7 +57,7 @@ hardening_ufw() {
### Ensure that a standard set of the most commonly used ports are open if a default-'deny'-outbound policy is selected. ### Ensure that a standard set of the most commonly used ports are open if a default-'deny'-outbound policy is selected.
if [[ "${VAR_UFW_OUT}" = "deny" ]]; then if [[ "${VAR_UFW_OUT}" = "deny" ]]; then
chroot_script "${TARGET}" " chroot_script "${var_target}" "
ufw allow out 21/tcp comment 'Outgoing FTP' ufw allow out 21/tcp comment 'Outgoing FTP'
ufw allow out 22/tcp comment 'Outgoing SSH' ufw allow out 22/tcp comment 'Outgoing SSH'
ufw allow out 25/tcp comment 'Outgoing SMTP' ufw allow out 25/tcp comment 'Outgoing SMTP'
@@ -71,12 +80,11 @@ hardening_ufw() {
fi fi
### Allowing ICMP IPv4 outgoing per default. ### Allowing ICMP IPv4 outgoing per default.
sed -i "/# ok icmp code for FORWARD/i \# ok icmp codes for OUTPUT" "${TARGET}/etc/ufw/before.rules" sed -i "/# ok icmp code for FORWARD/i \# ok icmp codes for OUTPUT" "${var_target}/etc/ufw/before.rules"
sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type destination-unreachable -j ACCEPT" "${TARGET}/etc/ufw/before.rules" sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type destination-unreachable -j ACCEPT" "${var_target}/etc/ufw/before.rules"
sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type time-exceeded -j ACCEPT" "${TARGET}/etc/ufw/before.rules" sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type time-exceeded -j ACCEPT" "${var_target}/etc/ufw/before.rules"
sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type parameter-problem -j ACCEPT" "${TARGET}/etc/ufw/before.rules" sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type parameter-problem -j ACCEPT" "${var_target}/etc/ufw/before.rules"
sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type echo-request -j ACCEPT" "${TARGET}/etc/ufw/before.rules" sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type echo-request -j ACCEPT" "${var_target}/etc/ufw/before.rules"
### Remove previous custom blocks (idempotent). ### Remove previous custom blocks (idempotent).
sed -i "/^# BEGIN custom MLD rules/,/^# END custom MLD rules/d" "${var_rules}" sed -i "/^# BEGIN custom MLD rules/,/^# END custom MLD rules/d" "${var_rules}"
@@ -90,10 +98,9 @@ hardening_ufw() {
### Useful if local daemons join multicast groups, and you want clean logs. ### Useful if local daemons join multicast groups, and you want clean logs.
sed -i "/-A ufw6-before-output .*--icmpv6-type echo-request -j ACCEPT/i # BEGIN custom MLD OUTPUT rules\n-A ufw6-before-output -o ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 131 -d ff02::/16 -j ACCEPT\n-A ufw6-before-output -o ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 143 -d ff02::/16 -j ACCEPT\n# END custom MLD OUTPUT rules" "${var_rules}" sed -i "/-A ufw6-before-output .*--icmpv6-type echo-request -j ACCEPT/i # BEGIN custom MLD OUTPUT rules\n-A ufw6-before-output -o ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 131 -d ff02::/16 -j ACCEPT\n-A ufw6-before-output -o ${VAR_FINAL_NIC} -p icmpv6 --icmpv6-type 143 -d ff02::/16 -j ACCEPT\n# END custom MLD OUTPUT rules" "${var_rules}"
chroot_script "${var_target}" "echo 'y' | ufw enable 2>&1"
chroot_script "${TARGET}" "echo 'y' | ufw enable 2>&1" chroot_script "${var_target}" "ufw status verbose >> ${var_logfile}"
chroot_script "${TARGET}" "ufw status verbose >> ${var_logfile}"
guard_dir && return 0 guard_dir && return 0
} }

170
func/cdi_4500_user/4520_accounts_setup.sh
View File

@@ -18,6 +18,7 @@ guard_sourcing
# RECOVERY # RECOVERY
# TARGET # TARGET
# VAR_RUN_RECOVERY # VAR_RUN_RECOVERY
# VAR_SETUP_PATH
# VAR_TEMP_PLAIN_MFA_SEED # VAR_TEMP_PLAIN_MFA_SEED
# VAR_USER_MAX # VAR_USER_MAX
# VAR_USER_ROOT_SPECIFIC # VAR_USER_ROOT_SPECIFIC
@@ -51,6 +52,10 @@ accounts_setup() {
chroot_logger "${var_target}${var_logfile}" chroot_logger "${var_target}${var_logfile}"
### Install CISS TOTP gate script.
install -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/usr/local/libexec/ciss_pam_2fa_gate.sh" \
"${var_target}/usr/local/libexec/"
### Update pam modules for 2fa. ### Update pam modules for 2fa.
write_pam_login "${var_target}" write_pam_login "${var_target}"
write_pam_sshd "${var_target}" write_pam_sshd "${var_target}"
@@ -166,7 +171,10 @@ EOF
if [[ "${user_root_authentication_2fa_ssh}" == "true" || "${user_root_authentication_2fa_tty}" == "true" ]]; then if [[ "${user_root_authentication_2fa_ssh}" == "true" || "${user_root_authentication_2fa_tty}" == "true" ]]; then
write_google_authenticator_file "root" "0" "0" "${var_target}" write_google_authenticator_file "root" "0" "0" "${var_target}"
printf '%s\n' "root" >> "${var_target}/etc/ciss/2fa.users"
[[ "${user_root_authentication_2fa_ssh}" == "true" ]] && write_ciss_2fa_user "root" "sshd" "on" "${var_target}"
[[ "${user_root_authentication_2fa_tty}" == "true" ]] && write_ciss_2fa_user "root" "login" "on" "${var_target}"
fi fi
@@ -382,7 +390,10 @@ EOF
if [[ "${var_2fa_ssh}" == "true" || "${var_2fa_tty}" == "true" ]]; then if [[ "${var_2fa_ssh}" == "true" || "${var_2fa_tty}" == "true" ]]; then
write_google_authenticator_file "${var_username}" "${var_uid}" "${var_gid}" "${var_target}" write_google_authenticator_file "${var_username}" "${var_uid}" "${var_gid}" "${var_target}"
printf '%s\n' "${var_username}" >> "${var_target}/etc/ciss/2fa.users"
[[ "${var_2fa_ssh}" == "true" ]] && write_ciss_2fa_user "${var_username}" "sshd" "on" "${var_target}"
[[ "${var_2fa_tty}" == "true" ]] && write_ciss_2fa_user "${var_username}" "login" "on" "${var_target}"
fi fi
@@ -652,7 +663,7 @@ EOF
cat << EOF >> "${var_lr_conf}" cat << EOF >> "${var_lr_conf}"
/var/log/sudo.log { /var/log/sudo.log {
daily daily
rotate 128 rotate 384
maxage 384 maxage 384
compress compress
delaycompress delaycompress
@@ -666,18 +677,6 @@ EOF
} }
EOF EOF
### Verify logrotate config in chroot.
if ! chroot_script "${var_target}" "logrotate -d /etc/logrotate.conf >> ${var_logfile}"; then
do_log "warn" "file_only" "4520() Command: [chroot_script ${var_target} logrotate -d /etc/logrotate.conf] failed."
return "${ERR_VERIFY_LOGROTATE}"
else
do_log "info" "file_only" "4520() Command: [chroot_script ${var_target} logrotate -d /etc/logrotate.conf] successful."
fi
fi fi
return 0 return 0
@@ -721,6 +720,131 @@ read_totp_seed(){
# shellcheck disable=SC2034 # shellcheck disable=SC2034
readonly -f read_totp_seed readonly -f read_totp_seed
#######################################
# Writes idempotently '/etc/ciss/2fa.map'.
# Globals:
# None
# Arguments:
# 1: user
# 2: module {login, sshd, su, sudo}
# 3: status {on, off, 1, 0, yes, no, true, false}
# 4: target
# Returns:
# 0: on success
#######################################
write_ciss_2fa_user() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_u="${1}" var_m="${2,,}" var_s="${3}" var_target="${4}"
declare -r var_ciss_2fa_map="${var_target}/etc/ciss/2fa.map" var_map_file="${var_ciss_2fa_map}" \
var_tmp_file="${var_map_file}.tmp.$$" var_umask=$(umask)
declare -i col_idx="" found="0" status=""
declare line=""
umask 0077
# shellcheck disable=SC2249
case "${var_s,,}" in
on|1|yes|true) status="1" ;;
off|0|no|false) status="0" ;;
esac
# shellcheck disable=SC2249
case "${var_m}" in
login) col_idx=2 ;;
sshd) col_idx=3 ;;
su) col_idx=4 ;;
sudo) col_idx=5 ;;
esac
### Read the old map, rewrite with targeted change.
if [[ -r "${var_map_file}" ]]; then
### Read line by line; preserve comments/blank lines; drop duplicate user lines beyond the first.
while IFS= read -r line || [[ -n "${line}" ]]; do
### Preserve comments and blanks verbatim.
if [[ -z "${line}" || "${line:0:1}" == "#" ]]; then
printf '%s\n' "${line}" >> "${var_tmp_file}"
continue
fi
### Parse colon-separated fields (the rest is ignored).
declare u="" f_login="" f_sshd="" f_su="" f_sudo="" rest=""
IFS=':' read -r u f_login f_sshd f_su f_sudo rest <<< "${line}"
### Keep non-target users verbatim.
if [[ "${u}" != "${var_u}" ]]; then
printf '%s\n' "${line}" >> "${var_tmp_file}"
continue
fi
### If we already updated this user once, skip any further duplicates.
if [[ "${found}" -eq 1 ]]; then
### Drop duplicate occurrence to keep the file canonical.
continue
fi
### Fill missing fields with defaults=1.
[[ -n "${f_login}" ]] || f_login=1
[[ -n "${f_sshd}" ]] || f_sshd=1
[[ -n "${f_su}" ]] || f_su=1
[[ -n "${f_sudo}" ]] || f_sudo=1
### Toggle the requested column only.
# shellcheck disable=SC2249
case "${col_idx}" in
2) f_login="${status}" ;;
3) f_sshd="${status}" ;;
4) f_su="${status}" ;;
5) f_sudo="${status}" ;;
esac
printf '%s:%s:%s:%s:%s\n' "${u}" "${f_login}" "${f_sshd}" "${f_su}" "${f_sudo}" >> "${var_tmp_file}"
found=1
done < "${var_map_file}"
fi
### If user not found: append a new default line (all 1), with the column set.
if [[ "${found}" -eq 0 ]]; then
declare -i d_login="1" d_sshd="1" d_su="1" d_sudo="1"
# shellcheck disable=SC2249
case "${col_idx}" in
2) d_login="${status}" ;;
3) d_sshd="${status}" ;;
4) d_su="${status}" ;;
5) d_sudo="${status}" ;;
esac
printf '%s:%s:%s:%s:%s\n' "${var_u}" "${d_login}" "${d_sshd}" "${d_su}" "${d_sudo}" >> "${var_tmp_file}"
fi
if [[ -e "${var_tmp_file}" ]]; then
mv -f -- "${var_tmp_file}" "${var_map_file}" || rm -f -- "${var_tmp_file}"
fi
umask "${var_umask}"
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f write_ciss_2fa_user
####################################### #######################################
# Writes '.google_authenticator'-file for the respective user. # Writes '.google_authenticator'-file for the respective user.
# Globals: # Globals:
@@ -859,8 +983,8 @@ session required pam_env.so readenv=1 envfile=/etc/default/locale
# ===== CISS 2FA block ======== # ===== CISS 2FA block ========
# If user is NOT listed -> succeed and SKIP next two lines (no TOTP prompt). # If gate returns SUCCESS => skip next two lines (no TOTP).
auth [success=2 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa.users onerr=ignore auth [success=2 default=ignore] pam_exec.so quiet /usr/local/libexec/ciss_pam_2fa_gate.sh
# For listed users: enforce that the secret file exists, else deny without prompting. # For listed users: enforce that the secret file exists, else deny without prompting.
# pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it. # pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
@@ -943,8 +1067,8 @@ write_pam_sshd() {
# ===== CISS 2FA block ======== # ===== CISS 2FA block ========
# If user is NOT listed -> succeed and SKIP next two lines (silent Keyboard-Interactive (KI) success). # If gate returns SUCCESS => skip next two lines (no TOTP).
auth [success=2 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa.users onerr=ignore auth [success=2 default=ignore] pam_exec.so quiet /usr/local/libexec/ciss_pam_2fa_gate.sh
# For listed users: enforce that the secret file exists, else deny without prompting. # For listed users: enforce that the secret file exists, else deny without prompting.
# pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it. # pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
@@ -1064,8 +1188,8 @@ auth sufficient pam_timestamp.so
# ===== CISS 2FA block ======== # ===== CISS 2FA block ========
# If user is NOT listed -> succeed and SKIP next two lines (no TOTP prompt). # If gate returns SUCCESS => skip next two lines (no TOTP).
auth [success=2 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa.users onerr=ignore auth [success=2 default=ignore] pam_exec.so quiet /usr/local/libexec/ciss_pam_2fa_gate.sh
# For listed users: enforce that the secret file exists, else deny without prompting. # For listed users: enforce that the secret file exists, else deny without prompting.
# pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it. # pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
@@ -1129,8 +1253,8 @@ auth sufficient pam_timestamp.so
# ===== CISS 2FA block ======== # ===== CISS 2FA block ========
# If user is NOT listed -> succeed and SKIP next two lines (no TOTP prompt). # If gate returns SUCCESS => skip next two lines (no TOTP).
auth [success=2 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa.users onerr=ignore auth [success=2 default=ignore] pam_exec.so quiet /usr/local/libexec/ciss_pam_2fa_gate.sh
# For listed users: enforce that the secret file exists, else deny without prompting. # For listed users: enforce that the secret file exists, else deny without prompting.
# pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it. # pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.

65
func/cdi_4900_xtended/4950_final_logrotate.sh Normal file
View File

@@ -0,0 +1,65 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Final update '/etc/logrotate.d/*'.
# Globals:
# RECOVERY
# TARGET
# VAR_RUN_RECOVERY
# Arguments:
# None
# Returns:
# 0: on success
#######################################
final_logrotate() {
### Declare Arrays, HashMaps, and Variables.
declare -ar ary_logrotate=(
"alternatives"
"apt"
"btmp"
"chrony"
"clamav-daemon"
"clamav-freshclam"
"dpkg"
"fail2ban"
"rkhunter"
"rsnapshot"
"ufw"
"unattended-upgrades"
"usbguard"
"wtmp"
)
declare var_file="" var_log=""
declare var_target="${TARGET}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
for var_log in "${ary_logrotate[@]}"; do
var_file="${var_target}/etc/logrotate.d/${var_log}"
[[ -e "${var_file}" ]] || continue
### Replace leading 'monthly'/'weekly' directives with 'daily', preserving indentation and trailing comments.
sed -E -i \
-e 's/^([[:space:]]*)(monthly|weekly)([[:space:]]*)(#.*)?$/\1daily\3\4/' \
-e 's/^([[:space:]]*)rotate([[:space:]]+[0-9]+)?([[:space:]]*)(#.*)?$/\1rotate 128\3\4/' \
"${var_file}"
done
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f final_logrotate
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
includes/target/etc/skel/.ciss.bashrc
View File

@@ -53,7 +53,7 @@ export HISTSIZE="16384"
export HISTTIMEFORMAT='%F %T %z ' export HISTTIMEFORMAT='%F %T %z '
# Optional, cautious filters (avoids trivial leaks, but not foolproof). Caution: HISTIGNORE is coarse-grained, don't overdo it. # Optional, cautious filters (avoids trivial leaks, but not foolproof). Caution: HISTIGNORE is coarse-grained, don't overdo it.
export HISTIGNORE='*PASS*:*pass*:*secret*:*token*:*API_KEY*:*' export HISTIGNORE='*PASS*:*pass*:*secret*:*token*:*API_KEY*'
# With only histappend, entries can be lost or merge with each other in the event of a crash or multiple sessions. # With only histappend, entries can be lost or merge with each other in the event of a crash or multiple sessions.
# "-a": Appends new entries from RAM to the file. # "-a": Appends new entries from RAM to the file.

2
includes/target/etc/skel/.physnet.bashrc
View File

@@ -53,7 +53,7 @@ export HISTSIZE="16384"
export HISTTIMEFORMAT='%F %T %z ' export HISTTIMEFORMAT='%F %T %z '
# Optional, cautious filters (avoids trivial leaks, but not foolproof). Caution: HISTIGNORE is coarse-grained, don't overdo it. # Optional, cautious filters (avoids trivial leaks, but not foolproof). Caution: HISTIGNORE is coarse-grained, don't overdo it.
export HISTIGNORE='*PASS*:*pass*:*secret*:*token*:*API_KEY*:*' export HISTIGNORE='*PASS*:*pass*:*secret*:*token*:*API_KEY*'
# With only histappend, entries can be lost or merge with each other in the event of a crash or multiple sessions. # With only histappend, entries can be lost or merge with each other in the event of a crash or multiple sessions.
# "-a": Appends new entries from RAM to the file. # "-a": Appends new entries from RAM to the file.

2
includes/target/root/.ciss.bashrc
View File

@@ -53,7 +53,7 @@ export HISTSIZE="16384"
export HISTTIMEFORMAT='%F %T %z ' export HISTTIMEFORMAT='%F %T %z '
# Optional, cautious filters (avoids trivial leaks, but not foolproof). Caution: HISTIGNORE is coarse-grained, don't overdo it. # Optional, cautious filters (avoids trivial leaks, but not foolproof). Caution: HISTIGNORE is coarse-grained, don't overdo it.
export HISTIGNORE='*PASS*:*pass*:*secret*:*token*:*API_KEY*:*' export HISTIGNORE='*PASS*:*pass*:*secret*:*token*:*API_KEY*'
# With only histappend, entries can be lost or merge with each other in the event of a crash or multiple sessions. # With only histappend, entries can be lost or merge with each other in the event of a crash or multiple sessions.
# "-a": Appends new entries from RAM to the file. # "-a": Appends new entries from RAM to the file.

2
includes/target/root/.physnet.bashrc
View File

@@ -53,7 +53,7 @@ export HISTSIZE="16384"
export HISTTIMEFORMAT='%F %T %z ' export HISTTIMEFORMAT='%F %T %z '
# Optional, cautious filters (avoids trivial leaks, but not foolproof). Caution: HISTIGNORE is coarse-grained, don't overdo it. # Optional, cautious filters (avoids trivial leaks, but not foolproof). Caution: HISTIGNORE is coarse-grained, don't overdo it.
export HISTIGNORE='*PASS*:*pass*:*secret*:*token*:*API_KEY*:*' export HISTIGNORE='*PASS*:*pass*:*secret*:*token*:*API_KEY*'
# With only histappend, entries can be lost or merge with each other in the event of a crash or multiple sessions. # With only histappend, entries can be lost or merge with each other in the event of a crash or multiple sessions.
# "-a": Appends new entries from RAM to the file. # "-a": Appends new entries from RAM to the file.

153
includes/target/usr/local/libexec/ciss_pam_2fa_gate.sh Normal file
View File

@@ -0,0 +1,153 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
### Purpose: Unified CISS 2FA gate for PAM (auth phase), deciding per 'user' and 'service'.
# Exit 0 => PAM_SUCCESS (skip next N lines via the control flag).
# Exit 1 => non-success (fall through to GA lines).
### Policy : "strict" by default: if service=1 and secret missing => GA will fail (no prompt).
# Set CISS_POLICY=permissive to skip GA when the secret is missing.
set -Ceuo pipefail
### Declare Arrays, HashMaps, and Variables.
declare -g VAR_MAP_FILE="/etc/ciss/2fa.map"
declare -g VAR_POLICY="${CISS_POLICY:-strict}"
### PAM variables provided by pam_exec:
declare -g VAR_U="${PAM_USER:-}"
declare -g VAR_S="${PAM_SERVICE:-}"
#######################################
# Read flag for user and service (0/1), default: empty (not found).
# Globals:
# VAR_MAP_FILE
# VAR_U
# Arguments:
# 1: PAM module / service {login, sshd, su, sudo}
# Returns:
# 0: on success
#######################################
read_flag() {
declare -r var_col="${1}"
declare line=""
while IFS= read -r line; do
### Strip leading / trailing spaces.
line="${line#"${line%%[![:space:]]*}"}"
line="${line%"${line##*[![:space:]]}"}"
[[ -z "${line}" || "${line}" == \#* ]] && continue
declare user="" f_login="" f_sshd="" f_su="" f_sudo="" _rest=""
IFS=: read -r user f_login f_sshd f_su f_sudo _rest <<<"${line}"
[[ "${user}" != "${VAR_U}" ]] && continue
case "${var_col}" in
2) echo "${f_login}"; return 0 ;;
3) echo "${f_sshd}"; return 0 ;;
4) echo "${f_su}"; return 0 ;;
5) echo "${f_sudo}"; return 0 ;;
*) echo ""; return 0 ;;
esac
done < "${VAR_MAP_FILE}"
echo ""
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f read_flag
#######################################
# Map PAM service to column index in the map (1-based after USER).
# Globals:
# None
# Arguments:
# 1: PAM module / service {login, sshd, su, sudo}
# Returns:
# 0: on success
#######################################
map_service_to_col() {
declare -r var_s="${1}"
case "${var_s}" in
login) echo 2 ;;
sshd) echo 3 ;;
su) echo 4 ;;
sudo) echo 5 ;;
*) echo 0 ;; # Unknown services => behave as "not enforced".
esac
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f map_service_to_col
#######################################
# Main function wrapper.
# Globals:
# VAR_MAP_FILE
# VAR_POLICY
# VAR_S
# VAR_U
# Arguments:
# None
# Returns:
# 0: on success
# 1: on failure
#######################################
main() {
### On missing map, behave like "not listed" (skip GA), analogous to onerr=ignore.
if [[ ! -r "${VAR_MAP_FILE}" || -z "${VAR_U}" || -z "${VAR_S}" ]]; then
exit 0
fi
declare col; col="$(map_service_to_col "${VAR_S}")"
### Treat unknown service as "not enforced".
[[ "${col}" -eq 0 ]] && exit 0
declare flag=""; flag="$(read_flag "${col}")"
### Not listed => skip GA.
[[ -z "${flag}" ]] && exit 0
### Listed with explicit 0 => skip GA.
[[ "${flag}" == "0" ]] && exit 0
### If the flag == "1" => enforces GA for this service.
### Optional permissive mode: If the secret is missing, then skip GA instead of enforcing.
if [[ "${VAR_POLICY}" == "permissive" ]]; then
declare home=""
### Resolve home via getent passwd (avoids $HOME spoofing).
home="$(getent passwd -- "${VAR_U}" | cut -d: -f6)"
if [[ -n "${home}" && ! -f "${home}/.google_authenticator" ]]; then
exit 0
fi
fi
# Enforce GA: return non-zero so PAM control falls through to GA lines.
exit 1
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f main
main "$@"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

1
meta_loader_func.sh
View File

@@ -116,6 +116,7 @@ source_guard "./func/cdi_4600_packages/4630_auditing_packages.sh"
### cdi_4900_xtended ### cdi_4900_xtended
source_guard "./func/cdi_4900_xtended/4900_final_command.sh" source_guard "./func/cdi_4900_xtended/4900_final_command.sh"
source_guard "./func/cdi_4900_xtended/4950_final_logrotate.sh"
source_guard "./func/cdi_4900_xtended/4999_exiting_chroot_system.sh" source_guard "./func/cdi_4900_xtended/4999_exiting_chroot_system.sh"
### cdi_5000_recovery ### cdi_5000_recovery