msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m44s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-07-15 22:19:24 +02:00
parent 580bc4289c
commit 1cb7b5d7b4
3 changed files with 82 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
source/func/3.8.2.z.functions_installation_dropbear.sh → func/4190_installation_dropbear.sh
View File

@@ -1,15 +1,17 @@
#!/bin/bash #!/bin/bash
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu> # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE # SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework. # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.2025.hardened.installer # SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
# TODO Important insert cryptdevice=UUID=881366ae-61ee-4ee0-893c-0def27c78c9e:cryptroot root=/dev/mapper/vg00-root # TODO Important insert cryptdevice=UUID=881366ae-61ee-4ee0-893c-0def27c78c9e:cryptroot root=/dev/mapper/vg00-root
# TODO Important insert GRUB_CMDLINE_LINUX_DEFAULT="net.ifnames=0 biosdevname=0 ip=152.53.66.126::152.53.64.1:255.255.252.0:soc:ens3:none" # TODO Important insert GRUB_CMDLINE_LINUX_DEFAULT="net.ifnames=0 biosdevname=0 ip=152.53.66.126::152.53.64.1:255.255.252.0:soc:ens3:none"
########################################################################################### ###########################################################################################

74
func/9998_check_sshd_config_integrity.sh Normal file
View File

@@ -0,0 +1,74 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# SPDX-Comment: SSH-Hardening Integrity Check (Centurion SSH Audit Support)
set -Ceuo pipefail
IFS=$'\n\t'
declare -r REF_CONFIG="/path/to/includes/etc/ssh/sshd_config"
declare -r LIVE_CONFIG="/etc/ssh/sshd_config"
declare -r REF_SSHD_T="/path/to/includes/etc/ssh/sshd_config.sshdT"
hash_file() {
sha256sum "$1" | awk '{print $1}'
}
bold() { tput bold; echo "$1"; tput sgr0; }
red() { tput setaf 1; echo "$1"; tput sgr0; }
green() { tput setaf 2; echo "$1"; tput sgr0; }
echo
bold "🛡️ Checking SSH Configuration Integrity..."
if [[ ! -f "${REF_CONFIG}" ]]; then
red "ERROR: Reference config '${REF_CONFIG}' not found."
exit 1
fi
if [[ ! -f "${LIVE_CONFIG}" ]]; then
red "ERROR: Live config '${LIVE_CONFIG}' not found."
exit 1
fi
declare -r HASH_REF=$(hash_file "${REF_CONFIG}")
declare -r HASH_LIVE=$(hash_file "${LIVE_CONFIG}")
if [[ "${HASH_REF}" == "${HASH_LIVE}" ]]; then
green "✓ sshd_config matches reference (SHA256: ${HASH_LIVE})"
else
red "✗ sshd_config has been modified!"
diff -u "${REF_CONFIG}" "${LIVE_CONFIG}" || true
fi
# Vergleich der sshd -T Ausgabe
echo
bold "🔍 Verifying sshd -T output..."
if [[ ! -f "${REF_SSHD_T}" ]]; then
red "ERROR: Reference sshd -T output not found: '${REF_SSHD_T}'"
exit 1
fi
TMP_SSHD_T=$(mktemp)
sshd -T > "${TMP_SSHD_T}"
if diff -q "${TMP_SSHD_T}" "${REF_SSHD_T}" >/dev/null; then
green "✓ sshd -T output matches expected configuration."
else
red "✗ sshd -T output has changed:"
diff -u "${REF_SSHD_T}" "${TMP_SSHD_T}" || true
fi
rm -f "${TMP_SSHD_T}"
echo
bold "✔ SSH config integrity check completed."
exit 0

3
func/9999_coresecret.sh
View File

@@ -9,8 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.installer # SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
# SPDX-Comment: coresecret.sh to be executed after dropbear SSH login
# coresecret.sh to be executed after dropbear SSH login
set -C -e -u -o pipefail set -C -e -u -o pipefail
IFS=$(printf ' \n\t') IFS=$(printf ' \n\t')