V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_4400_hardening/4460_hardening_memory.sh

@@ -13,9 +13,17 @@
 guard_sourcing
 
 #######################################
-# Hardening memory dump.
+# Hardening memory dump via:
+#   '/etc/systemd/coredump.conf.d/disable.conf'
+#   '/etc/security/limits.d/90-ciss-core.conf'
+#   '/etc/systemd/system.conf.d/90-ciss-core.conf'
+#   '/etc/pam.d/common-session'
+#   '/etc/pam.d/common-session-noninteractive'
 # Globals:
 #   TARGET
+#   VAR_ARCHITECTURE
+#   VAR_CODENAME
+#   VAR_VERSION
 # Arguments:
 #   None
 # Returns:
@@ -43,7 +51,6 @@ hardening_memory() {
 [Coredump]
 Storage=none
 EOF
-
   chmod 0644 "${TARGET}/etc/systemd/coredump.conf.d/disable.conf"
 
   cat << EOF >| "${TARGET}/etc/security/limits.d/90-ciss-core.conf"
@@ -68,9 +75,90 @@ EOF
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
-
   chmod 0644 "${TARGET}/etc/security/limits.d/90-ciss-core.conf"
 
+  mkdir -p "${TARGET}/etc/systemd/system.conf.d"
+  cat << EOF >| "${TARGET}/etc/systemd/system.conf.d/90-ciss-core.conf"
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Static file system information: /etc/systemd/system.conf.d/90-ciss-core.conf"
+# Generated by CISS.debian.installer ${VAR_VERSION}
+# Architecture: ${VAR_ARCHITECTURE}
+# Distribution: ${VAR_CODENAME}
+
+[Manager]
+DefaultLimitCORE=0
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+  chmod 0644 "${TARGET}/etc/systemd/system.conf.d/90-ciss-core.conf"
+
+  guard_pam_limits
+
   guard_dir && return 0
 }
+
+#######################################
+# Ensure 'pam_limits.so' is activated in:
+#   '/etc/pam.d/common-session'
+#   '/etc/pam.d/common-session-noninteractive'
+# Globals:
+#   TARGET
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+guard_pam_limits() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare     var_file_0="${TARGET}/etc/pam.d/common-session"
+  declare     var_file_1="${TARGET}/etc/pam.d/common-session-noninteractive"
+  declare     var_line='session required pam_limits.so' var_file=""
+  declare -i  var_changed=0
+
+  for var_file in "${var_file_0}" "${var_file_1}"; do
+
+    [[ -f "${var_file}" ]] || continue
+
+    ### Already active (not commented out)?
+    if grep -qE '^[[:space:]]*session[[:space:]]+required[[:space:]]+pam_limits\.so([[:space:]]|$)' "${var_file}"; then
+
+      continue
+
+    fi
+
+    ### If only commented out, activate (preferred over blunt appending).
+    if grep -qE '^[[:space:]]*#([[:space:]]*)session[[:space:]]+required[[:space:]]+pam_limits\.so([[:space:]]|$)' "${var_file}"; then
+
+      ### Remove comment characters at the beginning of lines (atomically via tmp file).
+      declare var_tmp; var_tmp="$(mktemp "${var_file}.XXXXXX")"
+
+      awk '
+        /^[[:space:]]*#([[:space:]]*)session[[:space:]]+required[[:space:]]+pam_limits\.so([[:space:]]|$)/ {
+          sub(/^[[:space:]]*#([[:space:]]*)/,""); print; next
+        } { print }
+      ' "${var_file}" >> "${var_tmp}" && mv -- "${var_tmp}" "${var_file}"
+
+      var_changed=1
+      continue
+    fi
+
+    ### Otherwise, append to the end (cleanly with a new line).
+    printf '\n%s\n' "${var_line}" >> "${var_file}"
+    var_changed=1
+
+  done
+
+  (( var_changed )) && do_log "info" "file_only" "4460() Activated pam_limits.so: (common-session[*])"
+
+  return 0
+}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh