V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-09-05 17:15:05 +02:00
parent 2e83b6a7cc
commit 4c89e79afc
23 changed files with 942 additions and 332 deletions
--- a/func/cdi_4400_hardening/4450_hardening_memory.sh
+++ b/func/cdi_4400_hardening/4450_hardening_memory.sh
@@ -0,0 +1,161 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# NOTE:
+#   According to the manual pages of limits.conf(5) and pam_limits(8),
+#   entries in '/etc/security/limits.conf' or drop-ins under
+#   '/etc/security/limits.d/' are NOT applied automatically by the system.
+#   The actual enforcement of these ulimit(2) constraints, including
+#   '* soft core 0' and '* hard core 0' to disable kernel core dumps,
+#   requires that the PAM module 'pam_limits.so' is invoked in the
+#   'session' stack of the respective service (e.g., via
+#   '/etc/pam.d/common-session' and
+#   '/etc/pam.d/common-session-noninteractive').
+#
+#   Without 'pam_limits.so' present in these PAM configuration files,
+#   the configured limits remain ineffective for PAM-based logins
+#   (SSH, local TTY, sudo, su, cron, etc.).
+#   Services launched by systemd bypass PAM and must have 'LimitCORE=0'
+#   or 'DefaultLimitCORE=0' set in their unit or in system.conf.d(5).
+#
+# References:
+#   - man 5 limits.conf
+#   - man 8 pam_limits
+#######################################
+
+#######################################
+# Hardening memory dump via:
+#   '/etc/systemd/coredump.conf.d/disable.conf'
+#   '/etc/security/limits.d/90-ciss-core.conf'
+#   '/etc/systemd/system.conf.d/90-ciss-core.conf'
+#   '/etc/pam.d/common-session'
+#   '/etc/pam.d/common-session-noninteractive'
+# Globals:
+#   TARGET
+#   VAR_ARCHITECTURE
+#   VAR_CODENAME
+#   VAR_VERSION
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+hardening_memory() {
+  mkdir -p "${TARGET}/etc/systemd/coredump.conf.d"
+  mkdir -p "${TARGET}/etc/systemd/system.conf.d"
+
+  insert_header   "${TARGET}/etc/security/limits.d/99-ciss-core.conf"
+  insert_comments "${TARGET}/etc/security/limits.d/99-ciss-core.conf"
+  cat << 'EOF' >> "${TARGET}/etc/security/limits.d/99-ciss-core.conf"
+# Enforce: no core dumps for all logins by default.
+# Format: <domain> <type> <item> <value>
+*     hard core 0
+*     soft core 0
+root  hard core 0
+root  soft core 0
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+
+  insert_header   "${TARGET}/etc/systemd/coredump.conf.d/disable.conf"
+  insert_comments "${TARGET}/etc/systemd/coredump.conf.d/disable.conf"
+  cat << 'EOF' >> "${TARGET}/etc/systemd/coredump.conf.d/disable.conf"
+### Do not store core images anywhere, keep the at most minimal metadata.
+
+[Coredump]
+Storage=none
+ProcessSizeMax=0
+ExternalSizeMax=0
+JournalSizeMax=0
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+
+  [[ -f  "${TARGET}/etc/systemd/system.conf.d/10-coredump-debian.conf" ]] && \
+    mv "${TARGET}/etc/systemd/system.conf.d/10-coredump-debian.conf" "${TARGET}/etc/systemd/system.conf.d/10-coredump-debian.conf.bak"
+
+
+  insert_header   "${TARGET}/etc/systemd/system.conf.d/99-ciss-core.conf"
+  insert_comments "${TARGET}/etc/systemd/system.conf.d/99-ciss-core.conf"
+  cat << 'EOF' >> "${TARGET}/etc/systemd/system.conf.d/99-ciss-core.conf"
+[Manager]
+DefaultLimitCORE=0
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+  guard_pam_limits
+
+  guard_dir && return 0
+}
+
+#######################################
+# Ensure 'pam_limits.so' is activated in:
+#   '/etc/pam.d/common-session'
+#   '/etc/pam.d/common-session-noninteractive'
+# Globals:
+#   TARGET
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+guard_pam_limits() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare     var_file_0="${TARGET}/etc/pam.d/common-session"
+  declare     var_file_1="${TARGET}/etc/pam.d/common-session-noninteractive"
+  declare     var_line='session required pam_limits.so' var_file=""
+  declare -i  var_changed=0
+
+  for var_file in "${var_file_0}" "${var_file_1}"; do
+
+    [[ -f "${var_file}" ]] || continue
+
+    ### Already active (not commented out)?
+    if grep -qE '^[[:space:]]*session[[:space:]]+required[[:space:]]+pam_limits\.so([[:space:]]|$)' "${var_file}"; then
+
+      continue
+
+    fi
+
+    ### If only commented out, activate (preferred over blunt appending).
+    if grep -qE '^[[:space:]]*#([[:space:]]*)session[[:space:]]+required[[:space:]]+pam_limits\.so([[:space:]]|$)' "${var_file}"; then
+
+      ### Remove comment characters at the beginning of lines (atomically via tmp file).
+      declare var_tmp; var_tmp="$(mktemp "${var_file}.XXXXXX")"
+
+      awk '
+        /^[[:space:]]*#([[:space:]]*)session[[:space:]]+required[[:space:]]+pam_limits\.so([[:space:]]|$)/ {
+          sub(/^[[:space:]]*#([[:space:]]*)/,""); print; next
+        } { print }
+      ' "${var_file}" >> "${var_tmp}" && mv -- "${var_tmp}" "${var_file}"
+
+      var_changed=1
+      continue
+    fi
+
+    ### Otherwise, append to the end (cleanly with a new line).
+    printf '\n%s\n' "${var_line}" >> "${var_file}"
+    var_changed=1
+
+  done
+
+  (( var_changed )) && do_log "info" "file_only" "4460() Activated pam_limits.so: (common-session[*])"
+
+  guard_dir && return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh