V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m47s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m47s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -25,7 +25,7 @@ guard_sourcing
|
||||
#######################################
|
||||
setup_grub_bootparameter() {
|
||||
### Install Kernel Hardening-Presets
|
||||
cp "${VAR_SETUP_PATH}/includes/etc/sysctl.d/99_local.hardened" "${TARGET}/etc/sysctl.d/99_local.hardened"
|
||||
cp "${VAR_SETUP_PATH}/includes/etc/sysctl.d/99_local.hardened.ini" "${TARGET}/etc/sysctl.d/99_local.hardened"
|
||||
chmod 0644 "${TARGET}/etc/sysctl.d/99_local.hardened"
|
||||
|
||||
### Entropy collection improvements
|
||||
|
||||
@@ -13,7 +13,7 @@
|
||||
guard_sourcing
|
||||
|
||||
#######################################
|
||||
# Install microcode updates depending on architecture (amd64, arm64, intel64) and environment (Baremetal, VM)
|
||||
# Install microcode updates depending on architecture (amd64, arm64, intel64) and environment (Baremetal, VM).
|
||||
# Globals:
|
||||
# TARGET
|
||||
# Arguments:
|
||||
|
||||
86
func/4180_setup_ssh.sh
Normal file
86
func/4180_setup_ssh.sh
Normal file
@@ -0,0 +1,86 @@
|
||||
#!/bin/bash
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-FileType: SOURCE
|
||||
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
||||
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
||||
# SPDX-PackageName: CISS.debian.installer
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
|
||||
guard_sourcing
|
||||
|
||||
#######################################
|
||||
# Setup ssh server.
|
||||
# Globals:
|
||||
# DIR_BAK
|
||||
# DIR_LOG
|
||||
# TARGET
|
||||
# VAR_FINAL_FQDN
|
||||
# VAR_FINAL_IPV4
|
||||
# VAR_FINAL_IPV6
|
||||
# VAR_SETUP_PATH
|
||||
# user_ssh_port
|
||||
# user_user0_name
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
# 0: Successfully executed commands.
|
||||
#######################################
|
||||
setup_ssh() {
|
||||
do_in_target "${TARGET}" apt-get install -y ssh
|
||||
|
||||
rm -rf "${TARGET}/etc/ssh/ssh_host_*key*"
|
||||
|
||||
do_in_target "${TARGET}" ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
|
||||
do_log "info" "true" "Generated ed25519 SSH Key, executed in: '${TARGET}'."
|
||||
|
||||
do_in_target "${TARGET}" ssh-keygen -o -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
|
||||
do_log "info" "true" "Generated RSA4096 SSH Key, executed in: '${TARGET}'."
|
||||
|
||||
|
||||
mkdir -p "${DIR_BAK}/etc/ssh"
|
||||
cp "${TARGET}/etc/ssh/sshd_config" "${DIR_BAK}/etc/ssh/sshd_config.bak"
|
||||
chmod 0644 "${DIR_BAK}/etc/ssh/sshd_config.bak"
|
||||
cp "${TARGET}/etc/ssh/ssh_config" "${DIR_BAK}/etc/ssh/ssh_config.bak"
|
||||
chmod 0644 "${DIR_BAK}/etc/ssh/ssh_config.bak"
|
||||
|
||||
rm "${TARGET}/etc/ssh/sshd_config"
|
||||
|
||||
cp "${VAR_SETUP_PATH}/includes/etc/ssh/sshd_config" "${TARGET}/etc/ssh/sshd_config"
|
||||
chmod 0600 "${TARGET}/etc/ssh/sshd_config"
|
||||
chmod 0600 "${TARGET}/etc/ssh/ssh_config"
|
||||
|
||||
sed -i "s/ListenAddress 0.0.0.0/ListenAddress ${VAR_FINAL_IPV4}/" "${TARGET}/etc/ssh/sshd_config"
|
||||
|
||||
if [[ -n "${VAR_FINAL_IPV6}" ]]; then
|
||||
sed -i "s/ListenAddress ::/ListenAddress ${VAR_FINAL_IPV6}/" "${TARGET}/etc/ssh/sshd_config"
|
||||
else
|
||||
sed -i "/^\s*ListenAddress\s*::/d" "${TARGET}/etc/ssh/sshd_config"
|
||||
fi
|
||||
|
||||
sed -i "s/Port MUST_BE_CHANGED/Port ${user_ssh_port}/" "${TARGET}/etc/ssh/sshd_config"
|
||||
|
||||
if [[ -n "${user_user0_name,,}" ]]; then
|
||||
sed -i "s/AllowUsers root/AllowUsers root ${user_user0_name}/" "${TARGET}/etc/ssh/sshd_config"
|
||||
fi
|
||||
|
||||
do_in_target "${TARGET}" sshd -T >| "${DIR_LOG}/sshd_config.log"
|
||||
do_in_target "${TARGET}" ssh-keygen -r "${VAR_FINAL_FQDN}." >| "${DIR_LOG}/ssh.log"
|
||||
|
||||
###########################################################################################
|
||||
# The file /etc/profile.d/idle-users.sh is created to set two read-only #
|
||||
# environment variables: TMOUT and HISTFILE. #
|
||||
# TMOUT=14400 ensures that users are automatically logged out after 4 hours of inactivity.#
|
||||
# readonly HISTFILE ensures that the command history cannot be changed. #
|
||||
# The chmod +x command ensures that the file is executed in every shell session. #
|
||||
###########################################################################################
|
||||
echo "readonly TMOUT=14400" >| "${TARGET}/etc/profile.d/idle-users.sh"
|
||||
#echo "readonly HISTFILE" >> "${TARGET}/etc/profile.d/idle-users.sh"
|
||||
chmod +x "${TARGET}/etc/profile.d/idle-users.sh"
|
||||
|
||||
return 0
|
||||
}
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|
||||
Reference in New Issue
Block a user