V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m44s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m44s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -1,15 +1,17 @@
|
||||
#!/bin/bash
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
|
||||
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
|
||||
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
|
||||
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-FileType: SOURCE
|
||||
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
||||
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
|
||||
# SPDX-PackageName: CISS.2025.hardened.installer
|
||||
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
||||
# SPDX-PackageName: CISS.debian.installer
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
|
||||
guard_sourcing
|
||||
|
||||
# TODO Important insert cryptdevice=UUID=881366ae-61ee-4ee0-893c-0def27c78c9e:cryptroot root=/dev/mapper/vg00-root
|
||||
# TODO Important insert GRUB_CMDLINE_LINUX_DEFAULT="net.ifnames=0 biosdevname=0 ip=152.53.66.126::152.53.64.1:255.255.252.0:soc:ens3:none"
|
||||
###########################################################################################
|
||||
74
func/9998_check_sshd_config_integrity.sh
Normal file
74
func/9998_check_sshd_config_integrity.sh
Normal file
@@ -0,0 +1,74 @@
|
||||
#!/bin/bash
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-FileType: SOURCE
|
||||
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
||||
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
||||
# SPDX-PackageName: CISS.debian.installer
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
# SPDX-Comment: SSH-Hardening Integrity Check (Centurion SSH Audit Support)
|
||||
|
||||
set -Ceuo pipefail
|
||||
IFS=$'\n\t'
|
||||
|
||||
declare -r REF_CONFIG="/path/to/includes/etc/ssh/sshd_config"
|
||||
declare -r LIVE_CONFIG="/etc/ssh/sshd_config"
|
||||
declare -r REF_SSHD_T="/path/to/includes/etc/ssh/sshd_config.sshdT"
|
||||
|
||||
hash_file() {
|
||||
sha256sum "$1" | awk '{print $1}'
|
||||
}
|
||||
|
||||
bold() { tput bold; echo "$1"; tput sgr0; }
|
||||
red() { tput setaf 1; echo "$1"; tput sgr0; }
|
||||
green() { tput setaf 2; echo "$1"; tput sgr0; }
|
||||
|
||||
echo
|
||||
bold "🛡️ Checking SSH Configuration Integrity..."
|
||||
|
||||
if [[ ! -f "${REF_CONFIG}" ]]; then
|
||||
red "ERROR: Reference config '${REF_CONFIG}' not found."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [[ ! -f "${LIVE_CONFIG}" ]]; then
|
||||
red "ERROR: Live config '${LIVE_CONFIG}' not found."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
declare -r HASH_REF=$(hash_file "${REF_CONFIG}")
|
||||
declare -r HASH_LIVE=$(hash_file "${LIVE_CONFIG}")
|
||||
|
||||
if [[ "${HASH_REF}" == "${HASH_LIVE}" ]]; then
|
||||
green "✓ sshd_config matches reference (SHA256: ${HASH_LIVE})"
|
||||
else
|
||||
red "✗ sshd_config has been modified!"
|
||||
diff -u "${REF_CONFIG}" "${LIVE_CONFIG}" || true
|
||||
fi
|
||||
|
||||
# Vergleich der sshd -T Ausgabe
|
||||
echo
|
||||
bold "🔍 Verifying sshd -T output..."
|
||||
|
||||
if [[ ! -f "${REF_SSHD_T}" ]]; then
|
||||
red "ERROR: Reference sshd -T output not found: '${REF_SSHD_T}'"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
TMP_SSHD_T=$(mktemp)
|
||||
sshd -T > "${TMP_SSHD_T}"
|
||||
|
||||
if diff -q "${TMP_SSHD_T}" "${REF_SSHD_T}" >/dev/null; then
|
||||
green "✓ sshd -T output matches expected configuration."
|
||||
else
|
||||
red "✗ sshd -T output has changed:"
|
||||
diff -u "${REF_SSHD_T}" "${TMP_SSHD_T}" || true
|
||||
fi
|
||||
|
||||
rm -f "${TMP_SSHD_T}"
|
||||
echo
|
||||
bold "✔ SSH config integrity check completed."
|
||||
exit 0
|
||||
@@ -9,8 +9,7 @@
|
||||
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
|
||||
# SPDX-PackageName: CISS.debian.installer
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
|
||||
# coresecret.sh to be executed after dropbear SSH login
|
||||
# SPDX-Comment: coresecret.sh to be executed after dropbear SSH login
|
||||
|
||||
set -C -e -u -o pipefail
|
||||
IFS=$(printf ' \n\t')
|
||||
|
||||
Reference in New Issue
Block a user