msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m47s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-07-15 22:10:31 +02:00
parent 0bd2e67810
commit 1acc23c70b
6 changed files with 223 additions and 103 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
func/4160_grub_bootparameter.sh
View File

@@ -25,7 +25,7 @@ guard_sourcing
####################################### #######################################
setup_grub_bootparameter() { setup_grub_bootparameter() {
### Install Kernel Hardening-Presets ### Install Kernel Hardening-Presets
cp "${VAR_SETUP_PATH}/includes/etc/sysctl.d/99_local.hardened" "${TARGET}/etc/sysctl.d/99_local.hardened" cp "${VAR_SETUP_PATH}/includes/etc/sysctl.d/99_local.hardened.ini" "${TARGET}/etc/sysctl.d/99_local.hardened"
chmod 0644 "${TARGET}/etc/sysctl.d/99_local.hardened" chmod 0644 "${TARGET}/etc/sysctl.d/99_local.hardened"
### Entropy collection improvements ### Entropy collection improvements

2
func/4170_installation_microcode.sh
View File

@@ -13,7 +13,7 @@
guard_sourcing guard_sourcing
####################################### #######################################
# Install microcode updates depending on architecture (amd64, arm64, intel64) and environment (Baremetal, VM) # Install microcode updates depending on architecture (amd64, arm64, intel64) and environment (Baremetal, VM).
# Globals: # Globals:
# TARGET # TARGET
# Arguments: # Arguments:

86
func/4180_setup_ssh.sh Normal file
View File

@@ -0,0 +1,86 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Setup ssh server.
# Globals:
# DIR_BAK
# DIR_LOG
# TARGET
# VAR_FINAL_FQDN
# VAR_FINAL_IPV4
# VAR_FINAL_IPV6
# VAR_SETUP_PATH
# user_ssh_port
# user_user0_name
# Arguments:
# None
# Returns:
# 0: Successfully executed commands.
#######################################
setup_ssh() {
do_in_target "${TARGET}" apt-get install -y ssh
rm -rf "${TARGET}/etc/ssh/ssh_host_*key*"
do_in_target "${TARGET}" ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
do_log "info" "true" "Generated ed25519 SSH Key, executed in: '${TARGET}'."
do_in_target "${TARGET}" ssh-keygen -o -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
do_log "info" "true" "Generated RSA4096 SSH Key, executed in: '${TARGET}'."
mkdir -p "${DIR_BAK}/etc/ssh"
cp "${TARGET}/etc/ssh/sshd_config" "${DIR_BAK}/etc/ssh/sshd_config.bak"
chmod 0644 "${DIR_BAK}/etc/ssh/sshd_config.bak"
cp "${TARGET}/etc/ssh/ssh_config" "${DIR_BAK}/etc/ssh/ssh_config.bak"
chmod 0644 "${DIR_BAK}/etc/ssh/ssh_config.bak"
rm "${TARGET}/etc/ssh/sshd_config"
cp "${VAR_SETUP_PATH}/includes/etc/ssh/sshd_config" "${TARGET}/etc/ssh/sshd_config"
chmod 0600 "${TARGET}/etc/ssh/sshd_config"
chmod 0600 "${TARGET}/etc/ssh/ssh_config"
sed -i "s/ListenAddress 0.0.0.0/ListenAddress ${VAR_FINAL_IPV4}/" "${TARGET}/etc/ssh/sshd_config"
if [[ -n "${VAR_FINAL_IPV6}" ]]; then
sed -i "s/ListenAddress ::/ListenAddress ${VAR_FINAL_IPV6}/" "${TARGET}/etc/ssh/sshd_config"
else
sed -i "/^\s*ListenAddress\s*::/d" "${TARGET}/etc/ssh/sshd_config"
fi
sed -i "s/Port MUST_BE_CHANGED/Port ${user_ssh_port}/" "${TARGET}/etc/ssh/sshd_config"
if [[ -n "${user_user0_name,,}" ]]; then
sed -i "s/AllowUsers root/AllowUsers root ${user_user0_name}/" "${TARGET}/etc/ssh/sshd_config"
fi
do_in_target "${TARGET}" sshd -T >| "${DIR_LOG}/sshd_config.log"
do_in_target "${TARGET}" ssh-keygen -r "${VAR_FINAL_FQDN}." >| "${DIR_LOG}/ssh.log"
###########################################################################################
# The file /etc/profile.d/idle-users.sh is created to set two read-only #
# environment variables: TMOUT and HISTFILE. #
# TMOUT=14400 ensures that users are automatically logged out after 4 hours of inactivity.#
# readonly HISTFILE ensures that the command history cannot be changed. #
# The chmod +x command ensures that the file is executed in every shell session. #
###########################################################################################
echo "readonly TMOUT=14400" >| "${TARGET}/etc/profile.d/idle-users.sh"
#echo "readonly HISTFILE" >> "${TARGET}/etc/profile.d/idle-users.sh"
chmod +x "${TARGET}/etc/profile.d/idle-users.sh"
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

134
includes/etc/ssh/sshd_config Normal file
View File

@@ -0,0 +1,134 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.03.864.2025.07.15
### https://www.ssh-audit.com/
### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
Include /etc/ssh/sshd_config.d/*.conf
Protocol 2
Banner /etc/banner
DebianBanner no
VersionAddendum none
Compression no
LogLevel VERBOSE
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::
Port MUST_BE_CHANGED
AllowUsers root
UseDNS no
### Force a key exchange after transferring 1 GiB of data or 1 hour of session time,
### whichever occurs first.
RekeyLimit 1G 1h
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
PubkeyAuthentication yes
PermitRootLogin prohibit-password
PasswordAuthentication no
PermitEmptyPasswords no
StrictModes yes
LoginGraceTime 2m
MaxAuthTries 3
MaxSessions 2
### Begin randomly dropping new unauthenticated connections after the 8th attempt,
### with a 64% chance to drop each additional connection, up to a hard limit of 16.
MaxStartups 08:64:16
### Restrict each individual source IP to only 4 unauthenticated connection slot
### in the concurrent MaxStartups pool, preventing one IP from monopolizing slots.
PerSourceMaxStartups 8
ClientAliveInterval 300
ClientAliveCountMax 2
AuthorizedKeysFile %h/.ssh/authorized_keys
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
GatewayPorts no
### A+ Rating 100/100
RequiredRSASize 4096
Ciphers aes256-gcm@openssh.com
KexAlgorithms sntrup761x25519-sha512@openssh.com,sntrup761x25519-sha512,gss-curve25519-sha256-
HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
CASignatureAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-ed25519,sk-ssh-ed25519@openssh.com
GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-
HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
### Change to yes to enable challenge-response passwords (beware issues with some PAM modules and threads)
KbdInteractiveAuthentication no
### Set this to 'yes' to enable PAM authentication, account processing,
### and session processing. If this is enabled, PAM authentication will
### be allowed through the ChallengeResponseAuthentication and
### PasswordAuthentication. Depending on your PAM configuration,
### PAM authentication via ChallengeResponseAuthentication may bypass
### the setting of "PermitRootLogin without-password".
### If you just want the PAM account and session checks to run without
### PAM authentication, then enable this but set PasswordAuthentication
### and ChallengeResponseAuthentication to 'no'.
UsePAM yes
### Allow client to pass locale environment variables
AcceptEnv LANG LC_*
### override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
PidFile /var/run/sshd.pid
PrintMotd no
PrintLastLog yes
TCPKeepAlive no
### For this to work you will also need host keys in /etc/ssh/ssh_known_hosts!
### Change to yes if you don't trust ~/.ssh/known_hosts for HostbasedAuthentication!
HostbasedAuthentication no
### Don't read the user's ~/.rhosts and ~/.shosts files
# IgnoreRhosts yes
# UsePrivilegeSeparation yes
### Kerberos options
# KerberosAuthentication no
# KerberosOrLocalPasswd yes
# KerberosTicketCleanup yes
# KerberosGetAFSToken no
### GSSAPI options
# GSSAPIAuthentication no
# GSSAPICleanupCredentials yes
# GSSAPIStrictAcceptorCheck yes
# GSSAPIKeyExchange no
# AuthorizedPrincipalsFile none
# AuthorizedKeysCommand none
# AuthorizedKeysCommandUser nobody
# PermitTunnel no
# ChrootDirectory none
# X11DisplayOffset 10
# X11UseLocalhost yes
# PermitTTY yes
# PermitUserEnvironment no
# IgnoreUserKnownHosts no
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

2
includes/etc/sysctl.d/99_local.hardened
View File

@@ -325,4 +325,4 @@ net.ipv4.tcp_max_syn_backlog=4096
########################################################################################### ###########################################################################################
net.ipv4.tcp_synack_retries=2 net.ipv4.tcp_synack_retries=2
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

100
source/func/3.8.2.functions_installation_setup_ssh.sh
View File

@@ -1,100 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# 3.8.2. Functions - installation - setup ssh #
###########################################################################################
###########################################################################################
# Setup ssh server
# Globals:
# DIR_BAK
# DIR_LOG
# FINAL_FQDN
# FINAL_IPV4_ADDRESS
# FINAL_IPV6_ADDRESS
# MODULE_ERR
# MODULE_TXT
# PATH_ABS
# TARGET
# accounts_ssh
# accounts_user_login
# accounts_user_name
# Arguments:
# None
###########################################################################################
3_8_2_functions_installation_setup_ssh() {
declare -g -x MODULE_ERR="3_8_2_functions_installation_setup_ssh"
declare -g -x MODULE_TXT="Setup ssh"
do_show_header "${MODULE_TXT}"
do_in_target "${TARGET}" apt-get install -y ssh
do_log "info" "false" "Command: 'apt-get install -y ssh' executed in: '${TARGET}'."
rm -rf "${TARGET}"/etc/ssh/ssh_host_*key*
do_in_target "${TARGET}" ssh-keygen -o -a "${accounts_ssh-keyrounds}" -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@${FINAL_FQDN}-$(date -I)"
do_log "info" "false" "Generated ed25519 SSH Key, executed in: '${TARGET}'."
do_in_target "${TARGET}" ssh-keygen -o -a "${accounts_ssh-keyrounds}" -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root@${FINAL_FQDN}-$(date -I)"
do_log "info" "false" "Generated RSA4096 SSH Key, executed in chroot."
declare TIMESTAMP
TIMESTAMP=$(do_get_timestamp)
echo "${TIMESTAMP}" >> "${DIR_LOG}"sshd_config.log && sshd -T >> "${DIR_LOG}"sshd_config.log
echo "${TIMESTAMP}" >> "${DIR_LOG}"ssh.log && ssh-keygen -r @ >> "${DIR_LOG}"ssh.log
cp -u "${TARGET}"/etc/ssh/sshd_config "${DIR_BAK}"sshd_config.bak
chmod 0644 "${DIR_BAK}"sshd_config.bak
cp -u "${TARGET}"/etc/ssh/ssh_config "${DIR_BAK}"ssh_config.bak
chmod 0644 "${DIR_BAK}"ssh_config.bak
rm "${TARGET}"/etc/ssh/sshd_config
cp "${PATH_ABS}"/.assets/sshd_config "${TARGET}"/etc/ssh/sshd_config
sed -i "s/ListenAddress 0.0.0.0/ListenAddress ${FINAL_IPV4_ADDRESS}/" "${TARGET}"/etc/ssh/sshd_config
if [[ -n ${FINAL_IPV6_ADDRESS} ]]; then
sed -i "s/ListenAddress ::/ListenAddress ${FINAL_IPV6_ADDRESS}/" "${TARGET}"/etc/ssh/sshd_config
else
sed -i "/^\s*ListenAddress\s*::/d" "${TARGET}"/etc/ssh/sshd_config
fi
sed -i "s/Port 22/Port ${accounts_ssh-port}/" "${TARGET}"/etc/ssh/sshd_config
if [[ ${accounts_user_login,,} == "true" ]]; then
sed -i "s/AllowUsers DUMMYSTRING/AllowUsers root ${accounts_user_name}/" "${TARGET}"/etc/ssh/sshd_config
else
sed -i "s/AllowUsers DUMMYSTRING/AllowUsers root/" "${TARGET}"/etc/ssh/sshd_config
fi
chmod 0600 "${TARGET}"/etc/ssh/sshd_config "${TARGET}"/etc/ssh/ssh_config
TIMESTAMP=$(do_get_timestamp)
echo "${TIMESTAMP}" >> "${DIR_LOG}"ssh.log
do_in_target "${TARGET}" /bin/bash -c "sshd -T >> ${DIR_LOG}ssh.log"
###########################################################################################
# Remarks: The file /etc/profile.d/idle-users.sh is created to set two read-only #
# environment variables: TMOUT and HISTFILE. #
# TMOUT=14400 ensures that users are automatically logged out after 4 hours of inactivity.#
# readonly HISTFILE ensures that the command history cannot be changed. #
# The chmod +x command ensures that the file is executed in every shell session. #
###########################################################################################
echo "readonly TMOUT=14400" >> "${TARGET}"/etc/profile.d/idle-users.sh
echo "readonly HISTFILE" >> "${TARGET}"/etc/profile.d/idle-users.sh
chmod +x "${TARGET}"/etc/profile.d/idle-users.sh
do_show_footer "${MODULE_TXT}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh: