V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m54s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m54s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -115,7 +115,7 @@ dropbear:
|
||||
firewall: false # Yet not implemented. MUST be "false".
|
||||
# Additional ultra hardening of the dropbear initramfs environment via firewall.
|
||||
# The "bastion_ipv4" MUST be provided.
|
||||
port: 42137 # SSH Port dropbear initramfs should listen.
|
||||
port: 44137 # SSH Port dropbear initramfs should listen.
|
||||
pub_key: "/.preseed/unlock_wrapper_pubring.gpg"
|
||||
# './path/to/unlock_wrapper_pubring.pgp' to check the signature of: 'unlock-wrapper.sh.sha512.sig'
|
||||
sha_file: "/.preseed/unlock_wrapper.sh.sha512"
|
||||
@@ -133,7 +133,7 @@ grub_parameter:
|
||||
# undetected. During boot if audit=1, then the backlog will hold 64 records. If more than 64 records are created during boot,
|
||||
# auditd records will be lost, and potential malicious activity could go undetected.
|
||||
##############################################################################################################################
|
||||
- "audit_backlog_limit=8192"
|
||||
- "audit_backlog_limit=16384"
|
||||
- "audit=1"
|
||||
|
||||
##############################################################################################################################
|
||||
@@ -268,7 +268,7 @@ grub_parameter:
|
||||
# 6 (KERN_INFO) informational
|
||||
# 7 (KERN_DEBUG) debug-level messages
|
||||
##############################################################################################################################
|
||||
- "loglevel=7"
|
||||
- "loglevel=0"
|
||||
|
||||
##############################################################################################################################
|
||||
# If mitigations=auto,nosmt is set, see before, then these flags should not be set individually because they are redundant.
|
||||
@@ -432,7 +432,7 @@ grub_parameter:
|
||||
grub:
|
||||
background: # RECOMMENDED settings: JPG 1280 x 1024 px or JPG 1920 x 1080 px
|
||||
enable: true # If you want to add a GRUB background.
|
||||
path: "/includes/target/etc/default/grub.d/club_1280_720.png"
|
||||
path: "/includes/target/etc/default/grub.d/hexagon_1280_720.png"
|
||||
bootdev: "/dev/sda" # Due notably to potential USB sticks, the location of the primary drive cannot be determined
|
||||
# safely in general, so this needs to be specified.
|
||||
force_efi: true # Force GRUB installation to the EFI removable media path?
|
||||
@@ -681,7 +681,9 @@ software:
|
||||
##############################################################################################################################
|
||||
### Installed by 4310_dropbear_build.sh
|
||||
##############################################################################################################################
|
||||
# dropbear-bin
|
||||
# dropbear-initramfs
|
||||
# gpgv
|
||||
#
|
||||
##############################################################################################################################
|
||||
### Installed by 4330_installation_ssh.sh
|
||||
@@ -843,12 +845,12 @@ user:
|
||||
sshpubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
|
||||
authentication:
|
||||
access:
|
||||
ssh: false # Allow SSH access.
|
||||
tty: false # Allow TTY (local console) login.
|
||||
password: false # Allow password login. SSH password login is always disabled.
|
||||
ssh: true # Allow SSH access.
|
||||
tty: true # Allow TTY (local console) login.
|
||||
password: true # Allow password login. SSH password login is always disabled.
|
||||
2fa:
|
||||
ssh: true # Require 2FA for SSH access.
|
||||
tty: true # Require 2FA for TTY (local console) login.
|
||||
ssh: false # Require 2FA for SSH access.
|
||||
tty: false # Require 2FA for TTY (local console) login.
|
||||
privileges:
|
||||
description: "Root user with full system access and administrative privileges."
|
||||
restricted: false # If true, the user is limited in scope (e.g., no login, no file access, --no-create-home)
|
||||
@@ -876,8 +878,8 @@ user:
|
||||
tty: true # Allow TTY (local console) login.
|
||||
password: true # Allow password login. SSH password login is always disabled.
|
||||
2fa:
|
||||
ssh: true # Require 2FA for SSH access.
|
||||
tty: true # Require 2FA for TTY (local console) login.
|
||||
ssh: false # Require 2FA for SSH access.
|
||||
tty: false # Require 2FA for TTY (local console) login.
|
||||
privileges:
|
||||
description: "Primary admin user with full sudo access and interactive login."
|
||||
sudo: true # Whether the user can escalate to root using sudo.
|
||||
|
||||
@@ -25,15 +25,16 @@ installation_masking() {
|
||||
chroot_script "${TARGET}" "
|
||||
systemctl mask ctrl-alt-del.target sleep.target suspend.target hibernate.target hybrid-sleep.target
|
||||
"
|
||||
|
||||
do_log "info" "file_only" "4133() Masked: [ctrl-alt-del.target sleep.target suspend.target hibernate.target hybrid-sleep.target]"
|
||||
|
||||
chroot_script "${TARGET}" "
|
||||
systemctl mask plymouth-start.service plymouth-quit.service plymouth-quit-wait.service plymouth-read-write.service
|
||||
"
|
||||
|
||||
do_log "info" "file_only" "4133() Masked: [plymouth-start.service plymouth-quit.service plymouth-quit-wait.service plymouth-read-write.service]"
|
||||
|
||||
guard_dir && return 0
|
||||
}
|
||||
### Prevents accidental 'unset -f'.
|
||||
# shellcheck disable=SC2034
|
||||
readonly -f installation_masking
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|
||||
|
||||
@@ -16,16 +16,13 @@ guard_sourcing
|
||||
# Build Ultra Hardened dropbear-2025.88 from sources.
|
||||
# Globals:
|
||||
# DIR_TMP
|
||||
# PATH
|
||||
# PATH_SEPARATOR
|
||||
# SHELLOPTS
|
||||
# VAR_DEBUG_TRACE
|
||||
# TARGET
|
||||
# VAR_SETUP_PATH
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
# 0: on success
|
||||
# ERR_PATH_NOT_VALID
|
||||
# ERR_PATH_NOT_VALID: on failure
|
||||
#######################################
|
||||
dropbear_build() {
|
||||
### Declare Arrays, HashMaps, and Variables.
|
||||
@@ -76,4 +73,7 @@ dropbear_build() {
|
||||
|
||||
guard_dir && return 0
|
||||
}
|
||||
### Prevents accidental 'unset -f'.
|
||||
# shellcheck disable=SC2034
|
||||
readonly -f dropbear_build
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|
||||
|
||||
@@ -31,10 +31,15 @@ dropbear_initramfs() {
|
||||
|
||||
chroot_script "${TARGET}" '
|
||||
export INITRD=No
|
||||
apt-get install -y --no-install-recommends --no-install-suggests dropbear-initramfs 2>&1 | tee -a '"${var_logfile}"'
|
||||
apt-get install -y --no-install-recommends --no-install-suggests dropbear-initramfs dropbear-bin 2>&1 | tee -a '"${var_logfile}"'
|
||||
echo ExitCode: $? >> '"${var_logfile}"'
|
||||
'
|
||||
|
||||
chroot_script "${TARGET}" '
|
||||
export INITRD=No
|
||||
apt-get purge -y dropbear dropbear-run || true
|
||||
echo ExitCode: $? >> '"${var_logfile}"'
|
||||
'
|
||||
|
||||
chroot_script "${TARGET}" '
|
||||
export INITRD=No
|
||||
@@ -42,14 +47,12 @@ dropbear_initramfs() {
|
||||
echo ExitCode: $? >> '"${var_logfile}"'
|
||||
'
|
||||
|
||||
|
||||
chroot_script "${TARGET}" '
|
||||
export INITRD=No
|
||||
apt-mark hold dropbear dropbear-initramfs 2>&1 | tee -a '"${var_logfile}"'
|
||||
echo ExitCode: $? >> '"${var_logfile}"'
|
||||
'
|
||||
|
||||
|
||||
mv "${TARGET}/usr/sbin/dropbear" "${TARGET}/usr/sbin/dropbear.trixie"
|
||||
install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/dropbear" "${TARGET}/usr/sbin/"
|
||||
do_log "debug" "file_only" "4311() Installation [dropbear] successful."
|
||||
@@ -73,7 +76,6 @@ Pin-Priority: -1
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
|
||||
EOF
|
||||
|
||||
|
||||
insert_header "${TARGET}/etc/apt/preferences.d/99-mask-dropbear-initramfs"
|
||||
insert_comments "${TARGET}/etc/apt/preferences.d/99-mask-dropbear-initramfs"
|
||||
cat << 'EOF' >> "${TARGET}/etc/apt/preferences.d/99-mask-dropbear-initramfs"
|
||||
@@ -85,10 +87,12 @@ Pin-Priority: -1
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
|
||||
EOF
|
||||
|
||||
|
||||
chroot_script "${TARGET}" "systemctl mask dropbear.service dropbear.socket"
|
||||
do_log "info" "file_only" "4311() Masked: [dropbear.service dropbear.socket]"
|
||||
|
||||
guard_dir && return 0
|
||||
}
|
||||
### Prevents accidental 'unset -f'.
|
||||
# shellcheck disable=SC2034
|
||||
readonly -f dropbear_initramfs
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|
||||
|
||||
@@ -46,6 +46,8 @@ update_initramfs() {
|
||||
echo ExitCode: \$? >> ${var_logfile}
|
||||
"
|
||||
|
||||
chmod 0400 "${TARGET}/boot/grub/grub.cfg"
|
||||
|
||||
guard_dir && return 0
|
||||
}
|
||||
### Prevents accidental 'unset -f'.
|
||||
|
||||
@@ -37,6 +37,20 @@ installation_ssh() {
|
||||
|
||||
chroot_exec "${TARGET}" apt-get install -y --no-install-recommends --no-install-suggests ssh
|
||||
|
||||
mkdir -p "${TARGET}/etc/systemd/system/ssh.service.d"
|
||||
|
||||
cat << EOF >| "${TARGET}/etc/systemd/system/ssh.service.d/override.conf"
|
||||
[Unit]
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
### If anything named 'dropbear' survived, kill it before binding.
|
||||
ExecStartPre=/usr/bin/pkill -x dropbear || :
|
||||
Restart=on-failure
|
||||
RestartSec=3s
|
||||
EOF
|
||||
|
||||
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/banner" "${TARGET}/etc/"
|
||||
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/motd" "${TARGET}/etc/"
|
||||
do_log "info" "file_only" "4420() Installed SSH '/etc/banner' and '/etc/motd'."
|
||||
@@ -156,4 +170,7 @@ EOF
|
||||
|
||||
guard_dir && return 0
|
||||
}
|
||||
### Prevents accidental 'unset -f'.
|
||||
# shellcheck disable=SC2034
|
||||
readonly -f installation_ssh
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|
||||
|
||||
@@ -22,17 +22,34 @@ guard_sourcing
|
||||
# 0: on success
|
||||
#######################################
|
||||
hardening_files() {
|
||||
declare var_bin="" var_binary=""
|
||||
|
||||
chmod 0700 "${TARGET}/etc/cron.d" "${TARGET}/etc/cron.daily" "${TARGET}/etc/cron.hourly" "${TARGET}/etc/cron.monthly" \
|
||||
"${TARGET}/etc/cron.weekly"
|
||||
chmod 0700 "${TARGET}/etc/sudoers.d"
|
||||
chmod 0700 "${TARGET}/etc/crontab"
|
||||
|
||||
[[ -f "${TARGET}/etc/cron.deny" ]] && rm "${TARGET}/etc/cron.deny"
|
||||
|
||||
rm -f "${TARGET}/etc/issue" "${TARGET}/etc/issue.net"
|
||||
install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/issue" "${TARGET}/etc/issue"
|
||||
install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/issue.net" "${TARGET}/etc/issue.net"
|
||||
|
||||
install -d -m 0700 -o root -g root "${TARGET}/root/.ansible"
|
||||
|
||||
for var_bin in as gcc g++ cc clang; do
|
||||
var_binary=$(readlink -f "${TARGET}/usr/bin/${var_bin}") || {
|
||||
do_log "info" "file_only" "4430() Binary: '${var_bin}' not found, skipping."
|
||||
continue
|
||||
}
|
||||
chmod 0700 "${var_binary}" || {
|
||||
do_log "info" "file_only" "4430() Binary chmod 0700: '${var_bin}' failed, skipping."
|
||||
}
|
||||
done
|
||||
|
||||
guard_dir && return 0
|
||||
}
|
||||
### Prevents accidental 'unset -f'.
|
||||
# shellcheck disable=SC2034
|
||||
readonly -f hardening_files
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|
||||
|
||||
@@ -46,7 +46,7 @@ install_verification() {
|
||||
|
||||
## Increase the buffers to survive stress events.
|
||||
## Make this bigger for busy systems
|
||||
-b 8192
|
||||
-b 16384
|
||||
|
||||
## This determine how long to wait in burst of events
|
||||
--backlog_wait_time 60000
|
||||
|
||||
Reference in New Issue
Block a user