msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 56s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-09-05 17:15:05 +02:00
parent 2e83b6a7cc
commit 4c89e79afc
23 changed files with 942 additions and 332 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
.preseed/preseed.yaml
View File

@@ -104,6 +104,7 @@ image: "linux-image-6.12.41+deb13-amd64"
# "linux-image-6.12.30+bpo-amd64" # "linux-image-6.12.30+bpo-amd64"
# "linux-image-6.12.38+deb13-amd64" # "linux-image-6.12.38+deb13-amd64"
needrun: false # Static linking to "${TARGET}/run" can cause problems if this data is "burned" into the target. needrun: false # Static linking to "${TARGET}/run" can cause problems if this data is "burned" into the target.
provider: "netcup" # MUST be one of "contabo", "hetzner", "netcup" or leave empty.
################################################################################################################################ ################################################################################################################################
# Dropbear settings # Dropbear settings
@@ -425,7 +426,7 @@ grub_parameter:
grub: grub:
background: # RECOMMENDED settings: JPG 1280 x 1024 px or JPG 1920 x 1080 px background: # RECOMMENDED settings: JPG 1280 x 1024 px or JPG 1920 x 1080 px
enable: true # If you want to add a GRUB background. enable: true # If you want to add a GRUB background.
path: "/includes/target/etc/default/grub.d/hexagon_1280_720.png" path: "/includes/target/etc/default/grub.d/club_1280_720.png"
bootdev: "/dev/sda" # Due notably to potential USB sticks, the location of the primary drive cannot be determined bootdev: "/dev/sda" # Due notably to potential USB sticks, the location of the primary drive cannot be determined
# safely in general, so this needs to be specified. # safely in general, so this needs to be specified.
force_efi: true # Force GRUB installation to the EFI removable media path? force_efi: true # Force GRUB installation to the EFI removable media path?
@@ -530,6 +531,7 @@ network:
# Security settings # Security settings
################################################################################################################################ ################################################################################################################################
security: security:
ufw_out: deny # Policy for ufw outbound traffic. MUST be either 'allow' or 'deny'.
unauthenticated: false # The installer will ensure that any packages are signed and authenticated. unauthenticated: false # The installer will ensure that any packages are signed and authenticated.
unauthenticated_ssl: false # This ensures that the connection between the installer, and the server from which files unauthenticated_ssl: false # This ensures that the connection between the installer, and the server from which files
# are downloaded, is encrypted and signed by a trusted certificate authority. # are downloaded, is encrypted and signed by a trusted certificate authority.
@@ -558,10 +560,12 @@ software:
# util-linux # util-linux
# vim-common # vim-common
# zstd # zstd
#
############################################################################################################################## ##############################################################################################################################
### Installed by 4110_update_sources.sh ### Installed by 4110_update_sources.sh
############################################################################################################################## ##############################################################################################################################
# unattended-upgrades # unattended-upgrades
#
############################################################################################################################## ##############################################################################################################################
### Installed by 4130_installation_toolset.sh ### Installed by 4130_installation_toolset.sh
############################################################################################################################## ##############################################################################################################################
@@ -603,33 +607,56 @@ software:
# wget # wget
# whois # whois
# zsh # zsh
#
############################################################################################################################## ##############################################################################################################################
### Installed by 4140_installation_microcode.sh ### Installed by 4140_installation_microcode.sh
############################################################################################################################## ##############################################################################################################################
# amd64-microcode # amd64-microcode
# intel-microcode # intel-microcode
#
############################################################################################################################## ##############################################################################################################################
### Installed by 4150_installation_chrony.sh ### Installed by 4150_installation_chrony.sh
############################################################################################################################## ##############################################################################################################################
# chrony # chrony
#
############################################################################################################################## ##############################################################################################################################
### Installed by 4220_installation_cryptsetup.sh ### Installed by 4220_installation_cryptsetup.sh
############################################################################################################################## ##############################################################################################################################
# cryptsetup # cryptsetup
# cryptsetup-initramfs # cryptsetup-initramfs
#
############################################################################################################################## ##############################################################################################################################
### Installed by 4230_installation_grub.sh ### Installed by 4230_installation_grub.sh
############################################################################################################################## ##############################################################################################################################
# grub2-common # grub2-common
# grub-efi-amd64 || grub-efi-arm64 || grub-efi-ia32 # grub-efi-amd64 || grub-efi-arm64 || grub-efi-ia32
#
##############################################################################################################################
### Installed by 4305_installation_netsec.sh
##############################################################################################################################
# fail2ban
# ufw
#
############################################################################################################################## ##############################################################################################################################
### Installed by 4310_dropbear_build.sh ### Installed by 4310_dropbear_build.sh
############################################################################################################################## ##############################################################################################################################
# dropbear-initramfs # dropbear-initramfs
#
############################################################################################################################## ##############################################################################################################################
### Installed by 4420_installation_ssh.sh ### Installed by 4330_installation_ssh.sh
############################################################################################################################## ##############################################################################################################################
# ssh # ssh
#
##############################################################################################################################
# Installed by 4510_accounts_hardening.sh
##############################################################################################################################
# libpam-google-authenticator
# keychain
# wamerican
# wbritish
# wfrench
# wngerman
#
############################################################################################################################## ##############################################################################################################################
# core software # core software
############################################################################################################################## ##############################################################################################################################
@@ -643,7 +670,6 @@ software:
- git - git
- knot-dnssecutils - knot-dnssecutils
- knot-dnsutils - knot-dnsutils
- libpam-google-authenticator
- locate - locate
- rsyslog - rsyslog
- screen - screen
@@ -688,19 +714,6 @@ software:
############################################################################################################################## ##############################################################################################################################
- mdadm - mdadm
############################################################################################################################## ##############################################################################################################################
# password
##############################################################################################################################
- keychain
- wamerican
- wbritish
- wfrench
- wngerman
##############################################################################################################################
# security
##############################################################################################################################
- fail2ban
- ufw
##############################################################################################################################
# sw dev # sw dev
############################################################################################################################## ##############################################################################################################################
#- build-essential #- build-essential

2
.preseed/ssh_root_ca.pub
View File

@@ -1 +1 @@
ssh-rsa-cert-v01@openssh.com AAAAB3NzaC1yc2EtY2VydC12MDEAAABCBFtF...== root-ca@example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN9klkdk7LwUWsLtm5p6+4aJyJ8KGX3vbKMNJlFJ2c/k Centurion 2025 SSH Root CA [offline]

38
ciss_debian_installer.sh
View File

@@ -14,8 +14,6 @@
# TODO: Install zsh Tools, eza # TODO: Install zsh Tools, eza
# TODO: Implement this function 4215_check_crypttab.sh # TODO: Implement this function 4215_check_crypttab.sh
# TODO: Implement this function 4435_hardening_fail2ban.sh
# TODO: Implement this function 4470_hardening_openssl.sh
# TODO: Update .dot files. # TODO: Update .dot files.
# TODO: Update README.md for each lib and func dir. # TODO: Update README.md for each lib and func dir.
# TODO: Update MANPAGE.md for each func. # TODO: Update MANPAGE.md for each func.
@@ -249,7 +247,7 @@ info_echo "4050_setup_locales.sh"
setup_locales setup_locales
### CDI_4100 ### CDI_4100
if [[ "${apt_default_deb822}" == "true" ]]; then if [[ "${VAR_DEB822}" == "true" ]]; then
info_echo "4105_generate_sources822.sh" info_echo "4105_generate_sources822.sh"
generate_sources822 generate_sources822
else else
@@ -300,7 +298,9 @@ update_grub_bootparameter
### CDI_4300 ### CDI_4300
info_echo "4300_installation_network.sh" info_echo "4300_installation_network.sh"
installation_network installation_network
if [[ "${dropbear_boot}" == "true" ]]; then info_echo "4305_installation_netsec.sh"
installation_netsec
if [[ "${VAR_DROPBEAR}" == "true" ]]; then
info_echo "4310_dropbear_build.sh" info_echo "4310_dropbear_build.sh"
dropbear_build dropbear_build
info_echo "4311_dropbear_initramfs.sh" info_echo "4311_dropbear_initramfs.sh"
@@ -310,28 +310,34 @@ if [[ "${dropbear_boot}" == "true" ]]; then
fi fi
info_echo "4320_update_initramfs.sh" info_echo "4320_update_initramfs.sh"
update_initramfs update_initramfs
info_echo "4330_installation_ssh.sh"
installation_ssh
### CDI_4400 ### CDI_4400
info_echo "4400_kernel_modules.sh" info_echo "4400_kernel_modules.sh"
kernel_modules && kernel_modprobe kernel_modules && kernel_modprobe
info_echo "4410_kernel_sysctl.sh" info_echo "4410_kernel_sysctl.sh"
kernel_sysctl kernel_sysctl
info_echo "4420_installation_ssh.sh" info_echo "4420_hardening_fail2ban.sh"
installation_ssh hardening_fail2ban
info_echo "4430_installation_skel.sh" info_echo "4430_hardening_files.sh"
installation_skel
#info_echo "4435_hardening_fail2ban.sh"
#hardening_fail2ban
info_echo "4440_hardening_files.sh"
hardening_files hardening_files
info_echo "4450_hardening_haveged.sh" info_echo "4440_hardening_haveged.sh"
hardening_haveged hardening_haveged
info_echo "4460_hardening_memory.sh" info_echo "4450_hardening_memory.sh"
hardening_memory hardening_memory
info_echo "4460_hardening_openssl.sh"
hardening_openssl
info_echo "4470_hardening_ufw.sh"
hardening_ufw
### CDI_4500 ### CDI_4500
info_echo "4500_installation_accounts.sh" info_echo "4500_accounts_preparation.sh"
installation_accounts # TODO: Checks ongoing accounts_preparation
info_echo "4510_accounts_hardening.sh"
accounts_hardening
info_echo "4520_accounts_setup.sh"
accounts_setup
### CDI_4600 ### CDI_4600
#info_echo "4205_check_fstab.sh" #info_echo "4205_check_fstab.sh"
@@ -354,7 +360,7 @@ if [[ "${VAR_RECOVERY}" == "true" ]]; then
fi fi
### Dialog Output for Initialization END ### Dialog Output for Initialization END
if ! "${VAR_AUTO_INSTALL}"; then . ./lib/cdi_0200_dialog/0200_dialog_helper.sh && dialog_box_cleaner; fi if ! "${VAR_AUTO_INSTALL}"; then dialog_box_cleaner; fi
declare -gx VAR_SCRIPT_SUCCESS="true" declare -gx VAR_SCRIPT_SUCCESS="true"

8
func/cdi_1250_yaml/1250_yaml_parser.sh
View File

@@ -15,6 +15,8 @@ guard_sourcing
####################################### #######################################
# Parsing './.preseed/preseed.yaml' and './.preseed/partitioning.yaml'. # Parsing './.preseed/preseed.yaml' and './.preseed/partitioning.yaml'.
# Globals: # Globals:
# ARY_ALLOW_IPV4
# ARY_ALLOW_IPV6
# ARY_BOOTPARAM # ARY_BOOTPARAM
# ARY_LOCALE # ARY_LOCALE
# ARY_NTPSRVR # ARY_NTPSRVR
@@ -32,7 +34,7 @@ guard_sourcing
yaml_parser() { yaml_parser() {
### Declare Arrays, HashMaps, and Variables. ### Declare Arrays, HashMaps, and Variables.
# shellcheck disable=SC2034 # shellcheck disable=SC2034
declare -ag ARY_BOOTPARAM=() ARY_LOCALE=() ARY_NTPSRVR=() ARY_PACKAGES=() declare -ag ARY_ALLOW_IPV4=() ARY_ALLOW_IPV6=() ARY_BOOTPARAM=() ARY_LOCALE=() ARY_NTPSRVR=() ARY_PACKAGES=()
declare -gix VAR_USER_MAX=0 declare -gix VAR_USER_MAX=0
declare var_index="" var_key="" var_value="" declare var_index="" var_key="" var_value=""
@@ -49,6 +51,8 @@ yaml_parser() {
grub_parameter_[0-9]*) ARY_BOOTPARAM+=("${var_value}") ;; grub_parameter_[0-9]*) ARY_BOOTPARAM+=("${var_value}") ;;
locale_locale_[0-9]*) ARY_LOCALE+=("${var_value}") ;; locale_locale_[0-9]*) ARY_LOCALE+=("${var_value}") ;;
ntp_server_[0-9]*) ARY_NTPSRVR+=("${var_value}") ;; ntp_server_[0-9]*) ARY_NTPSRVR+=("${var_value}") ;;
ssh_allow_ipv4_[0-9]*) ARY_ALLOW_IPV4+=("${var_value}") ;;
ssh_allow_ipv6_[0-9]*) ARY_ALLOW_IPV6+=("${var_value}") ;;
software_[0-9]*) ARY_PACKAGES+=("${var_value}") ;; software_[0-9]*) ARY_PACKAGES+=("${var_value}") ;;
esac esac
done < "${VAR_PRESEED}" done < "${VAR_PRESEED}"
@@ -68,6 +72,8 @@ yaml_parser() {
/^grub_parameter_[0-9]+=/d # delete grub parameter variables /^grub_parameter_[0-9]+=/d # delete grub parameter variables
/^locale_locale_[0-9]+=/d # delete locale variables /^locale_locale_[0-9]+=/d # delete locale variables
/^ntp_server_[0-9]+=/d # delete NTP server variables /^ntp_server_[0-9]+=/d # delete NTP server variables
/^ssh_allow_ipv4_[0-9]+=/d # delete ssh allow IPv4 variables
/^ssh_allow_ipv6_[0-9]+=/d # delete ssh allow IPv6 variables
/^software_[0-9]+=/d # delete software list variables /^software_[0-9]+=/d # delete software list variables
# --- Empty-value normalisation --------------------------------------- # --- Empty-value normalisation ---------------------------------------

26
func/cdi_1250_yaml/1251_yaml_reader.sh
View File

@@ -41,7 +41,8 @@ yaml_reader() {
# shellcheck disable=SC2034 # shellcheck disable=SC2034
declare -Ag HMP_RECIPE_DEV_PARTITIONS=() declare -Ag HMP_RECIPE_DEV_PARTITIONS=()
declare -gx VAR_RECIPE_STRING="" VAR_RECIPE_HIGHEST_DEVICE="" VAR_ARCHITECTURE="" VAR_RECIPE_FIRMWARE="" VAR_NUKE="" \ declare -gx VAR_RECIPE_STRING="" VAR_RECIPE_HIGHEST_DEVICE="" VAR_ARCHITECTURE="" VAR_RECIPE_FIRMWARE="" VAR_NUKE="" \
VAR_RECIPE_TABLE="" VAR_NEED_RUN_IN_TARGET="false" VAR_CODENAME="" VAR_DROPBEAR="" VAR_RECOVERY="" VAR_RECIPE_TABLE="" VAR_NEED_RUN_IN_TARGET="false" VAR_CODENAME="" VAR_DROPBEAR="" VAR_RECOVERY="" \
VAR_GRUB_PASSWORD="false" VAR_SSH_PORT="22" VAR_DEB822="true" VAR_PROVIDER="" VAR_SSH_CA="" VAR_UFW_OUT="deny"
### Declare and substitute input files. ### Declare and substitute input files.
declare -r var_if="${VAR_PRESEED}" declare -r var_if="${VAR_PRESEED}"
declare var_line="" var_middle_part="" var_highest_dev="" var_device="" var_fields="" var_partition="" \ declare var_line="" var_middle_part="" var_highest_dev="" var_device="" var_fields="" var_partition="" \
@@ -137,19 +138,34 @@ END { print max }
done done
### Extract APT file format.
# shellcheck disable=SC2034
VAR_DEB822="${apt_default_deb822,,}"
### Extract architecture. ### Extract architecture.
# shellcheck disable=SC2034 # shellcheck disable=SC2034
VAR_ARCHITECTURE="${architecture,,}" VAR_ARCHITECTURE="${architecture,,}"
### Extract distribution.
# shellcheck disable=SC2034 # shellcheck disable=SC2034
VAR_CODENAME="${distribution,,}" VAR_CODENAME="${distribution,,}"
### Extract dropbear installation.
# shellcheck disable=SC2034 # shellcheck disable=SC2034
VAR_DROPBEAR="${dropbear_boot,,}" VAR_DROPBEAR="${dropbear_boot,,}"
### Extract grub password installation.
# shellcheck disable=SC2034 # shellcheck disable=SC2034
VAR_GRUB_PASSWORD="${grub_password,,}" VAR_GRUB_PASSWORD="${grub_password,,}"
### Extract SSH Port.
# shellcheck disable=SC2034
VAR_SSH_PORT="${ssh_port,,}"
### Extract SSH Root CA.
# shellcheck disable=SC2034
VAR_SSH_CA="${ssh_root_ca,,}"
### Extract chroot secure '/run' mounting strategy. ### Extract chroot secure '/run' mounting strategy.
# shellcheck disable=SC2034 # shellcheck disable=SC2034
VAR_NEED_RUN_IN_TARGET="${needrun,,}" VAR_NEED_RUN_IN_TARGET="${needrun,,}"
@@ -190,11 +206,19 @@ END { print max }
fi fi
### Extract provider.
# shellcheck disable=SC2034
VAR_PROVIDER="${provider,,}"
### Extract the chosen Recovery mechanism. ### Extract the chosen Recovery mechanism.
recipe_recovery_var="recipe_${VAR_RECIPE_STRING}_control_recovery" recipe_recovery_var="recipe_${VAR_RECIPE_STRING}_control_recovery"
# shellcheck disable=SC2034 # shellcheck disable=SC2034
VAR_RECOVERY="${!recipe_recovery_var,,}" VAR_RECOVERY="${!recipe_recovery_var,,}"
### Extract ufw outgoing policy.
# shellcheck disable=SC2034
VAR_UFW_OUT="${security_ufw_out,,}"
guard_dir && return 0 guard_dir && return 0
} }
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

19
func/cdi_4000_debootstrap/4050_setup_locales.sh
View File

@@ -116,22 +116,9 @@ EOF
chroot_script "${TARGET}" "${var_locale_hook}" chroot_script "${TARGET}" "${var_locale_hook}"
### Set the keyboard layout for the system (for consoles). ### Set the keyboard layout for the system (for consoles).
cat << EOF >| "${TARGET}/etc/default/keyboard" insert_header "${TARGET}/etc/default/keyboard"
# SPDX-Version: 3.0 insert_comments "${TARGET}/etc/default/keyboard"
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev> cat << EOF >> "${TARGET}/etc/default/keyboard"
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# /etc/default/keyboard : Generated by CISS.debian.installer ${VAR_VERSION}
# Architecture : ${VAR_ARCHITECTURE}
# Distribution : ${VAR_CODENAME}
# KEYBOARD CONFIGURATION FILE # KEYBOARD CONFIGURATION FILE
# Consult the keyboard(5) manual page. # Consult the keyboard(5) manual page.

4
func/cdi_4100_base/4121_installation_initramfs.sh
View File

@@ -19,8 +19,8 @@ guard_sourcing
# https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html # https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html
# Globals: # Globals:
# TARGET # TARGET
# VAR_KERNEL # VAR_ROOT_FS
# image # VAR_SETUP_PATH
# Arguments: # Arguments:
# None # None
# Returns: # Returns:

38
func/cdi_4300_network/4305_installation_netsec.sh Normal file
View File

@@ -0,0 +1,38 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Installation of packages 'fail2ban' and 'ufw'.
# Globals:
# TARGET
# Arguments:
# None
# Returns:
# 0: on success
#######################################
installation_netsec() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_logfile="/root/.ciss/cdi/log/4305_installation_netsec.log"
chroot_logger "${TARGET}${var_logfile}"
chroot_script "${TARGET}" "
export INITRD=No
apt-get install -y --no-install-suggests fail2ban ufw 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

21
func/cdi_4400_hardening/4420_installation_ssh.sh → func/cdi_4300_network/4330_installation_ssh.sh
View File

@@ -15,16 +15,15 @@ guard_sourcing
####################################### #######################################
# Setup ssh server. # Setup ssh server.
# Globals: # Globals:
# BASH_REMATCH
# DIR_BAK
# DIR_LOG
# TARGET # TARGET
# VAR_FINAL_FQDN # VAR_FINAL_FQDN
# VAR_FINAL_IPV4 # VAR_FINAL_IPV4
# VAR_FINAL_IPV6 # VAR_FINAL_IPV6
# VAR_SETUP_PATH # VAR_SETUP_PATH
# ssh_port # VAR_USER_MAX
# ssh_root_ca # VAR_DROPBEAR
# VAR_SSH_PORT
# VAR_SSH_CA
# Arguments: # Arguments:
# None # None
# Returns: # Returns:
@@ -78,15 +77,15 @@ installation_ssh() {
sed -i "/^[[:space:]]*ListenAddressIPV6[[:space:]]*/d" "${TARGET}/etc/ssh/sshd_config" sed -i "/^[[:space:]]*ListenAddressIPV6[[:space:]]*/d" "${TARGET}/etc/ssh/sshd_config"
fi fi
sed -i -E "s|^[[:space:]]*Port[[:space:]]+.*$|$(printf '%-29s%s' 'Port' "${ssh_port}")|" "${TARGET}/etc/ssh/sshd_config" sed -i -E "s|^[[:space:]]*Port[[:space:]]+.*$|$(printf '%-29s%s' 'Port' "${VAR_SSH_PORT}")|" "${TARGET}/etc/ssh/sshd_config"
if (( ${#ary_user[@]} > 0 )); then if (( ${#ary_user[@]} > 0 )); then
sed -i -E "s|^\s*AllowUsers\s+.*$|$(printf '%-29s%s' 'AllowUsers' "root ${ary_user[*]}")|" "${TARGET}/etc/ssh/sshd_config" sed -i -E "s|^\s*AllowUsers\s+.*$|$(printf '%-29s%s' 'AllowUsers' "root ${ary_user[*]}")|" "${TARGET}/etc/ssh/sshd_config"
fi fi
if [[ -n "${ssh_root_ca}" ]]; then if [[ -n "${VAR_SSH_CA}" ]]; then
var_ca="${ssh_root_ca##*/}" var_ca="${VAR_SSH_CA##*/}"
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}${ssh_root_ca}" "${TARGET}/etc/ssh/" install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}${VAR_SSH_CA}" "${TARGET}/etc/ssh/"
sed -i -E "s|^\s*TrustedUserCAKeys\s+.*$|$(printf '%-29s%s' 'TrustedUserCAKeys' "/etc/ssh/${var_ca}")|" "${TARGET}/etc/ssh/sshd_config" sed -i -E "s|^\s*TrustedUserCAKeys\s+.*$|$(printf '%-29s%s' 'TrustedUserCAKeys' "/etc/ssh/${var_ca}")|" "${TARGET}/etc/ssh/sshd_config"
fi fi
@@ -106,7 +105,7 @@ installation_ssh() {
chroot_script "${TARGET}" "ssh-keygen -r ${VAR_FINAL_FQDN}. >| /root/.ciss/cdi/log/SSHFP.log" chroot_script "${TARGET}" "ssh-keygen -r ${VAR_FINAL_FQDN}. >| /root/.ciss/cdi/log/SSHFP.log"
if [[ "${dropbear_boot}" == "true" ]]; then if [[ "${VAR_DROPBEAR}" == "true" ]]; then
printf "### Dropbear SSHFP RR: \n" >> "${TARGET}/root/.ciss/cdi/log/SSHFP.log" printf "### Dropbear SSHFP RR: \n" >> "${TARGET}/root/.ciss/cdi/log/SSHFP.log"
@@ -136,8 +135,6 @@ esac
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF EOF
chmod 0644 "${TARGET}/etc/profile.d/idle-users.sh"
insert_comments "${TARGET}/etc/profile.d/idle-users.sh"
guard_dir && return 0 guard_dir && return 0
} }

207
func/cdi_4400_hardening/4420_hardening_fail2ban.sh Normal file
View File

@@ -0,0 +1,207 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Hardening 'fail2ban'.
# Globals:
# ARY_ALLOW_IPV4
# ARY_ALLOW_IPV6
# TARGET
# VAR_FINAL_FQDN
# VAR_FINAL_IPV4
# VAR_FINAL_IPV6
# VAR_PROVIDER
# VAR_SSH_PORT
# Arguments:
# None
# Returns:
# 0: on success
#######################################
hardening_fail2ban() {
### Declare Arrays, HashMaps, and Variables.
declare
declare -r var_logfile="/root/.ciss/cdi/log/4420_hardening_fail2ban.log"
chroot_logger "${TARGET}${var_logfile}"
mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc/fail2ban/jail.d"
cp "${TARGET}/etc/fail2ban/fail2ban.conf" "${TARGET}/root/.ciss/cdi/backup/etc/fail2ban/fail2ban.conf.bak"
mv "${TARGET}/etc/fail2ban/jail.d/defaults-debian.conf" "${TARGET}/root/.ciss/cdi/backup/etc/fail2ban/jail.d/defaults-debian.conf.bak"
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
insert_header "${TARGET}/etc/fail2ban/fail2ban.local"
insert_comments "${TARGET}/etc/fail2ban/fail2ban.local"
cat << 'EOF' >> "${TARGET}/etc/fail2ban/fail2ban.local"
[DEFAULT]
allowipv6 = auto
EOF
insert_header "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
insert_comments "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
if [[ "${#ARY_ALLOW_IPV4[@]}" -gt 0 ]]; then
### fail2ban ufw aggressive mode, one attempt for jumphost configuration.
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
[DEFAULT]
usedns = yes
ignoreip = 127.0.0.0/8 ::1
# ${VAR_FINAL_FQDN}
${VAR_FINAL_IPV4}
${VAR_FINAL_IPV6}/64
# Jumphost
${ARY_ALLOW_IPV4[*]}
${ARY_ALLOW_IPV6[*]}
maxretry = 8
findtime = 12h
bantime = 12h
[sshd]
enabled = true
backend = systemd
filter = sshd
mode = normal
port = ${VAR_SSH_PORT}
protocol = tcp
logpath = /var/log/auth.log
maxretry = 3
findtime = 1d
bantime = 1d
#
# ufw aggressive approach:
# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...).
# Any client touching other ports is treated malicious and therefore should be blocked access to ALL ports after 1 attempt.
#
[ufw]
enabled = true
filter = ufw.aggressive
action = iptables-allports
logpath = /var/log/ufw.log
maxretry = 1
findtime = 1d
bantime = 1d
protocol = tcp,udp
EOF
else
### fail2ban ufw aggressive mode, 32 attempts for NO jumphost configuration.
cat << EOF >> "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
[DEFAULT]
usedns = yes
ignoreip = 127.0.0.0/8 ::1
# ${VAR_FINAL_FQDN}
${VAR_FINAL_IPV4}
${VAR_FINAL_IPV6}/64
maxretry = 8
findtime = 12h
bantime = 12h
[sshd]
enabled = true
backend = systemd
filter = sshd
mode = normal
port = ${VAR_SSH_PORT}
protocol = tcp
logpath = /var/log/auth.log
maxretry = 3
findtime = 1d
bantime = 1d
#
# ufw aggressive approach:
# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...).
# Any client touching other ports is treated malicious and therefore should be blocked access to ALL ports after 32 attempts.
#
[ufw]
enabled = true
filter = ufw.aggressive
action = iptables-allports
logpath = /var/log/ufw.log
maxretry = 32
findtime = 1d
bantime = 1d
protocol = tcp,udp
EOF
fi
### Provider Hetzner needs special ignoreip rules.
if [[ "${VAR_PROVIDER}" == "hetzner" ]]; then
sed -i '0,/^maxretry/{s/^maxretry/# Hetzner Intern\n 172.31.1.1\/16\n&/}' "${TARGET}/etc/fail2ban/jail.d/centurion-default.conf"
fi
insert_header "${TARGET}/etc/fail2ban/filter.d/ufw.aggressive.conf"
insert_comments "${TARGET}/etc/fail2ban/filter.d/ufw.aggressive.conf"
cat << EOF >> "${TARGET}/etc/fail2ban/filter.d/ufw.aggressive.conf"
[Definition]
failregex = ^.*UFW BLOCK.* SRC=<HOST> .*DPT=\d+ .*
ignoreregex =
EOF
# Hardening of fail2ban systemd: https://wiki.archlinux.org/title/fail2ban#Service_hardening
# The 'CapabilityBoundingSet' parameters 'CAP_DAC_READ_SEARCH' will allow fail2ban full read access to every directory and
# file. "CAP_NET_ADMIN" and "CAP_NET_RAW" allow fail2ban to operate on any firewall that has a command-line shell interface.
# By using 'ProtectSystem=strict' the filesystem hierarchy will only be read-only; 'ReadWritePaths' allows Fail2ban to have
# write access on required paths.
mkdir -p "${TARGET}/etc/systemd/system/fail2ban.service.d"
mkdir -p "${TARGET}/var/log/fail2ban"
insert_header "${TARGET}/etc/systemd/system/fail2ban.service.d/override.conf"
insert_comments "${TARGET}/etc/systemd/system/fail2ban.service.d/override.conf"
cat << EOF >> "${TARGET}/etc/systemd/system/fail2ban.service.d/override.conf"
[Service]
PrivateDevices=yes
PrivateTmp=yes
ProtectHome=read-only
ProtectSystem=strict
ReadWritePaths=-/var/run/fail2ban
ReadWritePaths=-/var/lib/fail2ban
ReadWritePaths=-/var/log/fail2ban
ReadWritePaths=-/var/spool/postfix/maildrop
ReadWritePaths=-/run/xtables.lock
CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
ProtectClock=true
ProtectHostname=true
EOF
cat << 'EOF' >> "${TARGET}/etc/fail2ban/fail2ban.local"
[Definition]
logtarget = /var/log/fail2ban/fail2ban.log
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
### Logrotate must be updated too.
mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc/logrotate.d"
cp "${TARGET}/etc/logrotate.d/fail2ban" "${TARGET}/root/.ciss/cdi/backup/etc/logrotate.d/fail2ban.bak"
sed -i 's/\/var\/log\/fail2ban.log/\/var\/log\/fail2ban\/fail2ban.log/1' "${TARGET}/etc/logrotate.d/fail2ban"
touch "${TARGET}/var/log/fail2ban/fail2ban.log"
chmod 640 "${TARGET}/var/log/fail2ban/fail2ban.log"
### Merge / Dump-Parse via 'fail2ban-client -d'. All '*.conf', '*.local', and 'jail.*'-files are read, inherited, and merged.
### Syntax, path, and key errors result in a non-zero exit.
chroot_script "${TARGET}" "
fail2ban-client -d >> ${var_logfile} && echo "OK: config parsed" >> ${var_logfile} || echo "ERROR: config invalid" >> ${var_logfile}
"
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

0
func/cdi_4400_hardening/4440_hardening_files.sh → func/cdi_4400_hardening/4430_hardening_files.sh
View File

204
func/cdi_4400_hardening/4435_hardening_fail2ban.sh
View File

@@ -1,204 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Hardening files and directories.
# Globals:
# None
# Arguments:
# None
# Returns:
# 0: on success
#######################################
hardening_fail2ban() {
### Declare Arrays, HashMaps, and Variables.
declare
declare -r var_logfile="/root/.ciss/cdi/log/4435_hardening_fail2ban.log"
chroot_logger "${TARGET}${var_logfile}"
chroot_script "${TARGET}" "
export INITRD=No
apt-get install -y --no-install-suggests fail2ban 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
cp -u /etc/fail2ban/fail2ban.conf "${DIR_BAK}"fail2ban.conf.bak
mv "${TARGET}/etc/resolv.conf" "${TARGET}/root/.ciss/cdi/backup/etc/resolv.conf.bak"
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf
mv /etc/fail2ban/jail.d/defaults-debian.conf /etc/fail2ban/jail.d/defaults-debian.conf.bak
chmod 644 /etc/fail2ban/jail.d/defaults-debian.conf.bak
if [[ "${JUMPHOST,,}" = "yes" ]]; then
###########################################################################################
# Remarks: fail2ban ufw aggresive mode - one attempt for Jumphost configuration #
###########################################################################################
cat <<EOF >/etc/fail2ban/jail.d/centurion-default.conf
##### Added by hardening.sh - Module: do_hardening_fail2ban #####
[DEFAULT]
usedns = yes
ignoreip = 127.0.0.0/8 ::1
# $FQDN
$IPV4 $IPV6/64
# Jumphost
$JUMPHOST_IPV4 $JUMPHOST_IPV6/64
maxretry = 8
findtime = 12h
bantime = 12h
[sshd]
enabled = true
backend = systemd
filter = sshd
mode = normal
port = $SSHPORT
protocol = tcp
logpath = /var/log/auth.log
maxretry = 3
findtime = 1d
bantime = 1d
#
# ufw aggressive approach:
# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, 443, ...).
# Any client touching other ports is treated malicious and therefore should be blocked access to ALL ports after 1 attempt.
#
[ufw]
enabled = true
filter = ufw.aggressive
action = iptables-allports
logpath = /var/log/ufw.log
maxretry = 1
findtime = 1d
bantime = 1d
protocol = tcp,udp
EOF
else
###########################################################################################
# Remarks: fail2ban ufw aggresive mode 32 attempts for NO Jumphost configuration #
###########################################################################################
cat <<EOF >/etc/fail2ban/jail.d/centurion-default.conf
##### Added by hardening.sh - Module: do_hardening_fail2ban #####
[DEFAULT]
usedns = yes
ignoreip = 127.0.0.0/8 ::1
# $FQDN
$IPV4 $IPV6/64
maxretry = 8
findtime = 12h
bantime = 12h
[sshd]
enabled = true
backend = systemd
filter = sshd
mode = normal
port = $SSHPORT
protocol = tcp
logpath = /var/log/auth.log
maxretry = 3
findtime = 1d
bantime = 1d
#
# ufw aggressive approach:
# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, 443, ...).
# Any client touching other ports is treated malicious and therefore should be blocked access to ALL ports after 32 attempts.
#
[ufw]
enabled = true
filter = ufw.aggressive
action = iptables-allports
logpath = /var/log/ufw.log
maxretry = 32
findtime = 1d
bantime = 1d
protocol = tcp,udp
EOF
fi
cat <<EOF >/etc/fail2ban/filter.d/ufw.aggressive.conf
##### Added by hardening.sh - Module: do_hardening_fail2ban #####
[Definition]
failregex = ^.*UFW BLOCK.* SRC=<HOST> .*DPT=\d+ .*
ignoreregex =
EOF
###########################################################################################
# Remarks: hardening of fail2ban systemd #
###########################################################################################
# https://wiki.archlinux.org/title/fail2ban#Service_hardening #
# The CapabilityBoundingSet parameters CAP_DAC_READ_SEARCH will allow Fail2ban full read #
# access to every directory and file. CAP_NET_ADMIN and CAP_NET_RAW allow Fail2ban to #
# operate # on any firewall that has command-line shell interface. By using #
# ProtectSystem=strict the filesystem hierarchy will only be read-only, ReadWritePaths #
# allows Fail2ban to have write access on required paths. #
###########################################################################################
mkdir -p /etc/systemd/system/fail2ban.service.d
mkdir /var/log/fail2ban
cat <<EOF >/etc/systemd/system/fail2ban.service.d/override.conf
[Service]
PrivateDevices=yes
PrivateTmp=yes
ProtectHome=read-only
ProtectSystem=strict
ReadWritePaths=-/var/run/fail2ban
ReadWritePaths=-/var/lib/fail2ban
ReadWritePaths=-/var/log/fail2ban
ReadWritePaths=-/var/spool/postfix/maildrop
ReadWritePaths=-/run/xtables.lock
CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
##### Added by CenDev
ProtectClock=true
ProtectHostname=true
EOF
cat <<EOF >>/etc/fail2ban/fail2ban.local
[Definition]
logtarget = /var/log/fail2ban/fail2ban.log
EOF
###########################################################################################
# Remarks: Hetzner needs special ignoreip rules #
###########################################################################################
if [[ "${VPSPROVIDER,,}" = "hetzner" ]]; then
sed -i '0,/^maxretry/{s/^maxretry/# Hetzner Intern\n 172.31.1.1\/16\n&/}' /etc/fail2ban/jail.d/centurion-default.conf
fi
###########################################################################################
# Remarks: Logrotate must be updated either #
###########################################################################################
cp -a /etc/logrotate.d/fail2ban "${DIR_BAK}"fail2ban_logrotate.bak
sed -i 's/\/var\/log\/fail2ban.log/\/var\/log\/fail2ban\/fail2ban.log/1' /etc/logrotate.d/fail2ban
touch /var/log/fail2ban/fail2ban.log
chmod 640 /var/log/fail2ban/fail2ban.log
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

23
func/cdi_4400_hardening/4450_hardening_haveged.sh → func/cdi_4400_hardening/4440_hardening_haveged.sh
View File

@@ -16,32 +16,15 @@ guard_sourcing
# Hardening haveged. # Hardening haveged.
# Globals: # Globals:
# TARGET # TARGET
# VAR_ARCHITECTURE
# VAR_CODENAME
# VAR_VERSION
# Arguments: # Arguments:
# None # None
# Returns: # Returns:
# 0: on success # 0: on success
####################################### #######################################
hardening_haveged() { hardening_haveged() {
cat << EOF >| "${TARGET}/etc/default/haveged" insert_header "${TARGET}/etc/default/haveged"
# SPDX-Version: 3.0 insert_comments "${TARGET}/etc/default/haveged"
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev> cat << EOF >> "${TARGET}/etc/default/haveged"
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# Static file system information: /etc/default/haveged
# Generated by CISS.debian.installer ${VAR_VERSION}
# Architecture: ${VAR_ARCHITECTURE}
# Distribution: ${VAR_CODENAME}
# Configuration file for haveged # Configuration file for haveged
# Minimal, sane defaults for server/headless systems. # Minimal, sane defaults for server/headless systems.
# -w <bits> : target entropy level in bits; 1024 ensures fast pool fill on boot # -w <bits> : target entropy level in bits; 1024 ensures fast pool fill on boot

6
func/cdi_4400_hardening/4460_hardening_memory.sh → func/cdi_4400_hardening/4450_hardening_memory.sh
View File

@@ -56,11 +56,9 @@ hardening_memory() {
mkdir -p "${TARGET}/etc/systemd/coredump.conf.d" mkdir -p "${TARGET}/etc/systemd/coredump.conf.d"
mkdir -p "${TARGET}/etc/systemd/system.conf.d" mkdir -p "${TARGET}/etc/systemd/system.conf.d"
insert_header "${TARGET}/etc/security/limits.d/99-ciss-core.conf" insert_header "${TARGET}/etc/security/limits.d/99-ciss-core.conf"
insert_comments "${TARGET}/etc/security/limits.d/99-ciss-core.conf" insert_comments "${TARGET}/etc/security/limits.d/99-ciss-core.conf"
cat << EOF >> "${TARGET}/etc/security/limits.d/99-ciss-core.conf" cat << 'EOF' >> "${TARGET}/etc/security/limits.d/99-ciss-core.conf"
# Enforce: no core dumps for all logins by default. # Enforce: no core dumps for all logins by default.
# Format: <domain> <type> <item> <value> # Format: <domain> <type> <item> <value>
* hard core 0 * hard core 0
@@ -93,7 +91,7 @@ EOF
insert_header "${TARGET}/etc/systemd/system.conf.d/99-ciss-core.conf" insert_header "${TARGET}/etc/systemd/system.conf.d/99-ciss-core.conf"
insert_comments "${TARGET}/etc/systemd/system.conf.d/99-ciss-core.conf" insert_comments "${TARGET}/etc/systemd/system.conf.d/99-ciss-core.conf"
cat << EOF >> "${TARGET}/etc/systemd/system.conf.d/99-ciss-core.conf" cat << 'EOF' >> "${TARGET}/etc/systemd/system.conf.d/99-ciss-core.conf"
[Manager] [Manager]
DefaultLimitCORE=0 DefaultLimitCORE=0

35
func/cdi_4400_hardening/4460_hardening_openssl.sh Normal file
View File

@@ -0,0 +1,35 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Hardening OpenSSL library defaults (system-wide), TLSv1.2-, TLSv1.3-, AES-256-only.
# Globals:
# TARGET
# VAR_SETUP_PATH
# Arguments:
# None
# Returns:
# 0: on success
#######################################
hardening_openssl() {
mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc/ssl"
mv "${TARGET}/etc/ssl/openssl.cnf" "${TARGET}/root/.ciss/cdi/backup/etc/ssl/openssl.cnf.bak"
insert_header "${TARGET}/etc/ssl/openssl.cnf"
insert_comments "${TARGET}/etc/ssl/openssl.cnf"
cat "${VAR_SETUP_PATH}/includes/target/etc/ssl/openssl.cnf" >> "${TARGET}/etc/ssl/openssl.cnf"
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

85
func/cdi_4400_hardening/4470_hardening_ufw.sh Normal file
View File

@@ -0,0 +1,85 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# OpenSSL library defaults (system-wide), TLSv1.2-, TLSv1.3-, AES-256-only;
# Globals:
# TARGET
# VAR_SETUP_PATH
# Arguments:
# None
# Returns:
# 0: on success
#######################################
hardening_ufw() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_logfile="/root/.ciss/cdi/log/4470_hardening_ufw.log"
chroot_logger "${TARGET}${var_logfile}"
if [[ ! -f "${TARGET}/var/log/ufw.log" ]]; then
touch "${TARGET}/var/log/ufw.log"
chmod 640 "${TARGET}/var/log/ufw.log"
fi
chroot_script "${TARGET}" "
ufw --force reset
ufw logging medium
ufw default deny incoming
ufw default ${VAR_UFW_OUT} outgoing
ufw default deny forward
ufw allow in ${VAR_SSH_PORT}/tcp comment 'Incoming SSH'
ufw limit ${VAR_SSH_PORT}/tcp comment 'Incoming SSH'
"
### Ensure that a standard set of the most commonly used ports are open if a default-'deny'-outbound policy is selected.
if [[ "${VAR_UFW_OUT}" = "deny" ]]; then
chroot_script "${TARGET}" "
ufw allow out 21/tcp comment 'Outgoing FTP'
ufw allow out 22/tcp comment 'Outgoing SSH'
ufw allow out 25/tcp comment 'Outgoing SMTP'
ufw allow out 53/tcp comment 'Outgoing DNS'
ufw allow out 80/tcp comment 'Outgoing HTTP'
ufw allow out 123/tcp comment 'Outgoing NTP'
ufw allow out 143/tcp comment 'Outgoing IMAP'
ufw allow out 443/tcp comment 'Outgoing HTTPS'
ufw allow out 465/tcp comment 'Outgoing SMTPS'
ufw allow out 587/tcp comment 'Outgoing SMTPS'
ufw allow out 993/tcp comment 'Outgoing IMAPS'
ufw allow out 4460/tcp comment 'Outgoing NTS'
ufw allow out ${VAR_SSH_PORT}/tcp comment 'Outgoing SSH'
ufw allow out 53/udp comment 'Outgoing DNS'
ufw allow out 123/udp comment 'Outgoing NTP'
ufw allow out 443/udp comment 'Outgoing QUIC'
ufw allow out 853/udp comment 'Outgoing DoQ'
"
fi
### Allowing ICMP IPv4 outgoing per default.
sed -i "/# ok icmp code for FORWARD/i \# ok icmp codes for OUTPUT" "${TARGET}/etc/ufw/before.rules"
sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type destination-unreachable -j ACCEPT" "${TARGET}/etc/ufw/before.rules"
sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type time-exceeded -j ACCEPT" "${TARGET}/etc/ufw/before.rules"
sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type parameter-problem -j ACCEPT" "${TARGET}/etc/ufw/before.rules"
sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type echo-request -j ACCEPT" "${TARGET}/etc/ufw/before.rules"
chroot_script "${TARGET}" "echo 'y' | ufw enable 2>&1"
chroot_script "${TARGET}" "
ufw status verbose >> ${var_logfile}
"
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
func/cdi_4400_hardening/4430_installation_skel.sh → func/cdi_4500_user/4500_accounts_preparation.sh
View File

@@ -22,7 +22,7 @@ guard_sourcing
# Returns: # Returns:
# 0: on success # 0: on success
####################################### #######################################
installation_skel() { accounts_preparation() {
mkdir -p "${TARGET}/etc/skel/.ciss" mkdir -p "${TARGET}/etc/skel/.ciss"
install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.bashrc" "${TARGET}/etc/skel/.bashrc" install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.bashrc" "${TARGET}/etc/skel/.bashrc"

6
func/cdi_4400_hardening/4470_hardening_openssl.sh → func/cdi_4500_user/4510_accounts_hardening.sh
View File

@@ -13,17 +13,15 @@
guard_sourcing guard_sourcing
####################################### #######################################
#
# Globals: # Globals:
# TARGET # TARGET
# VAR_ARCHITECTURE
# VAR_CODENAME
# VAR_VERSION
# Arguments: # Arguments:
# None # None
# Returns: # Returns:
# 0: on success # 0: on success
####################################### #######################################
hardening_ssl() { accounts_hardening() {
guard_dir && return 0 guard_dir && return 0
} }

2
func/cdi_4500_user/4500_installation_accounts.sh → func/cdi_4500_user/4520_accounts_setup.sh
View File

@@ -27,7 +27,7 @@ guard_sourcing
# Returns: # Returns:
# 0: on success # 0: on success
####################################### #######################################
installation_accounts() { accounts_setup() {
### Declare Arrays, HashMaps, and Variables. ### Declare Arrays, HashMaps, and Variables.
declare -i i declare -i i
declare tmp_username="" tmp_fullname="" tmp_uid="" tmp_gid="" tmp_shell="" tmp_password="" tmp_sshpubkey="" tmp_sudo="" \ declare tmp_username="" tmp_fullname="" tmp_uid="" tmp_gid="" tmp_shell="" tmp_password="" tmp_sshpubkey="" tmp_sudo="" \

427
includes/target/etc/ssl/openssl.cnf Normal file
View File

@@ -0,0 +1,427 @@
#
# OpenSSL example configuration file.
# See doc/man5/config.pod for more info.
#
# This is mostly being used for generation of certificate requests,
# but may be used for auto loading of providers
# Note that you can include other files from the main configuration
# file using the .include directive.
#.include filename
openssl_conf = default_conf
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
# Use this in order to automatically load providers.
openssl_conf = openssl_init
# Comment out the next line to ignore configuration errors
config_diagnostics = 1
# Extra OBJECT IDENTIFIER info:
# oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
# For FIPS
# Optionally include a file that is generated by the OpenSSL fipsinstall
# application. This file contains configuration data required by the OpenSSL
# fips provider. It contains a named section e.g. [fips_sect] which is
# referenced from the [provider_sect] below.
# Refer to the OpenSSL security policy for more information.
# .include fipsmodule.cnf
[openssl_init]
providers = provider_sect
# List of providers to load
[provider_sect]
default = default_sect
# The fips section name should match the section name inside the
# included fipsmodule.cnf.
# fips = fips_sect
# If no providers are activated explicitly, the default one is activated implicitly.
# See man 7 OSSL_PROVIDER-default for more details.
#
# If you add a section explicitly activating any other provider(s), you most
# probably need to explicitly activate the default provider, otherwise it
# becomes unavailable in openssl. As a consequence applications depending on
# OpenSSL may not work correctly which could lead to significant system
# problems including inability to remotely access the system.
[default_sect]
# activate = 1
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem # The private key
x509_extensions = usr_cert # The extensions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
####################################################################
[ tsa ]
default_tsa = tsa_config1 # the default TSA section
[ tsa_config1 ]
# These are used by the TSA reply generation only.
dir = ./demoCA # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate
# (optional)
certs = $dir/cacert.pem # Certificate chain to include in reply
# (optional)
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
signer_digest = sha256 # Signing digest to use. (Optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?
# (optional, default: no)
tsa_name = yes # Must the TSA name be included in the reply?
# (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no)
ess_cert_id_alg = sha256 # algorithm to compute certificate
# identifier (optional, default: sha256)
[insta] # CMP using Insta Demo CA
# Message transfer
server = pki.certificate.fi:8700
# proxy = # set this as far as needed, e.g., http://192.168.1.1:8080
# tls_use = 0
path = pkix/
# Server authentication
recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer
ignore_keyusage = 1 # quirk needed to accept Insta CA cert not including digitalsignature
unprotected_errors = 1 # quirk needed to accept negative responses possibly not protected
extracertsout = insta.extracerts.pem
# Client authentication
ref = 3078 # user identification
secret = pass:insta # can be used for both client and server side
# Generic message options
cmd = ir # default operation, can be overridden on cmd line with, e.g., kur
# Certificate enrollment
subject = "/CN=openssl-cmp-test"
newkey = insta.priv.pem
out_trusted = apps/insta.ca.crt # does not include keyUsage digitalSignature
certout = insta.cert.pem
[pbm] # Password-based protection for Insta CA
# Server and client authentication
ref = $insta::ref # 3078
secret = $insta::secret # pass:insta
[signature] # Signature-based protection for Insta CA
# Server authentication
trusted = $insta::out_trusted # apps/insta.ca.crt
# Client authentication
secret = # disable PBM
key = $insta::newkey # insta.priv.pem
cert = $insta::certout # insta.cert.pem
[ir]
cmd = ir
[cr]
cmd = cr
[kur]
# Certificate update
cmd = kur
oldcert = $insta::certout # insta.cert.pem
[rr]
# Certificate revocation
cmd = rr
oldcert = $insta::certout # insta.cert.pem
##### Added by CISS.debian.installer #####
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
# Protocol floor / ceiling:
# - only TLS 1.2 and 1.3.
# - TLS 1.3 is FS by design;
# - TLS 1.2 FS enforced via cipher list.
MinProtocol = TLSv1.2
MaxProtocol = TLSv1.3
# TLS 1.2 cipher policy:
# - Forward secrecy only: ECDHE or DHE (no static RSA kx);
# - AES-256 *GCM* only (no DHE (dheatattack), no AES-128, no CBC);
# - Keep distro default SECLEVEL=2 explicitly.
CipherString = ECDHE+AES256-GCM:ECDHE+CHACHA20:ECDHE+ARIA256-GCM:ECDHE+CAMELLIA256-GCM:!kRSA:!PSK:!SRP:!aNULL:!eNULL:@SECLEVEL=2
# TLS 1.3 cipher policy: AES-256 and ChaCha20-Poly1305 only:
Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
# Prefer strong, widely-supported ECDHE groups (first = most preferred):
Groups = X448:X25519:P-521:P-384
# Operational flags:
# -SessionTicket => disable TLS session tickets (TLS 1.2 + 1.3)
# ServerPreference => honour server cipher order (TLS 1.2)
# NoRenegotiation => disallow TLS 1.2 renegotiation
Options = -SessionTicket,ServerPreference,NoRenegotiation
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

29
lib/cdi_0100_arg/0105_arg_nuke_converter.sh
View File

@@ -16,46 +16,43 @@ guard_sourcing
# Generates 'nuke=HASH' Bootparameter. # Generates 'nuke=HASH' Bootparameter.
# Globals: # Globals:
# DIR_CNF # DIR_CNF
# ERR_READ_NUKE_FILE
# VAR_DEBUG_TRACE
# VAR_NUKE_HASH # VAR_NUKE_HASH
# Arguments: # Arguments:
# None # None
# Returns: # Returns:
# 0: on success # 0: on success
# ERR_GENERATE_SALT
# ERR_READ_NUKE_FILE # ERR_READ_NUKE_FILE
####################################### #######################################
nuke_passphrase() { nuke_passphrase() {
declare -r var_nuke_pwd_file="${DIR_CNF}/password_luks_nuke.txt" declare -r var_nuke_pwd_file="${DIR_CNF}/password_luks_nuke.txt"
declare var_temp_nuke_hash="" var_temp_plain_nuke_pwd="" var_salt="" declare var_temp_nuke_hash="" var_temp_plain_nuke_pwd="" var_salt="" var_nuke_rounds=""
# shellcheck disable=SC2016,SC2312
var_nuke_rounds="$(
yq -r '
paths(scalars) as $p
| select( ($p|last|tostring) | test("_nuke_rounds$") )
| getpath($p)
' "${DIR_CNF}/preseed.yaml" | head -n1
)"
[[ ! -f "${var_nuke_pwd_file}" ]] && return 0 [[ ! -f "${var_nuke_pwd_file}" ]] && return 0
### TODO: PASSWORD REMINDER START
guard_trace on guard_trace on
if ! read_password_file "${var_nuke_pwd_file}" var_temp_plain_nuke_pwd; then if ! read_password_file "${var_nuke_pwd_file}" var_temp_plain_nuke_pwd; then
return "${ERR_READ_NUKE_FILE}" return "${ERR_READ_NUKE_FILE}"
fi fi
### TODO: PASSWORD REMINDER STOP
guard_trace off guard_trace off
if ! var_salt="$(generate_salt)"; then if ! var_salt="$(generate_salt)"; then
return "${ERR_GENERATE_SALT}" return "${ERR_GENERATE_SALT}"
fi fi
### TODO: PASSWORD REMINDER START
guard_trace on guard_trace on
var_temp_nuke_hash=$(mkpasswd --method=sha-512 --salt="${var_salt}" --rounds="${var_nuke_rounds:-8388608}" "${var_temp_plain_nuke_pwd}")
var_temp_nuke_hash=$(mkpasswd --method=sha-512 --salt="${var_salt}" --rounds="${VAR_NUKE_ROUNDS:-8388608}" "${var_temp_plain_nuke_pwd}")
### TODO: PASSWORD REMINDER STOP
guard_trace off guard_trace off
declare -grx VAR_NUKE_HASH="${var_temp_nuke_hash}" declare -grx VAR_NUKE_HASH="${var_temp_nuke_hash}"

18
meta_loader_func.sh
View File

@@ -74,23 +74,27 @@ source_guard "./func/cdi_4200_boot/4250_update_grub_bootparameter.sh"
### cdi_4300_network ### cdi_4300_network
source_guard "./func/cdi_4300_network/4300_installation_network.sh" source_guard "./func/cdi_4300_network/4300_installation_network.sh"
source_guard "./func/cdi_4300_network/4305_installation_netsec.sh"
source_guard "./func/cdi_4300_network/4310_dropbear_build.sh" source_guard "./func/cdi_4300_network/4310_dropbear_build.sh"
source_guard "./func/cdi_4300_network/4311_dropbear_initramfs.sh" source_guard "./func/cdi_4300_network/4311_dropbear_initramfs.sh"
source_guard "./func/cdi_4300_network/4312_dropbear_setup.sh" source_guard "./func/cdi_4300_network/4312_dropbear_setup.sh"
source_guard "./func/cdi_4300_network/4320_update_initramfs.sh" source_guard "./func/cdi_4300_network/4320_update_initramfs.sh"
source_guard "./func/cdi_4300_network/4330_installation_ssh.sh"
### cdi_4400_hardening ### cdi_4400_hardening
source_guard "./func/cdi_4400_hardening/4400_kernel_modules.sh" source_guard "./func/cdi_4400_hardening/4400_kernel_modules.sh"
source_guard "./func/cdi_4400_hardening/4410_kernel_sysctl.sh" source_guard "./func/cdi_4400_hardening/4410_kernel_sysctl.sh"
source_guard "./func/cdi_4400_hardening/4420_installation_ssh.sh" source_guard "./func/cdi_4400_hardening/4420_hardening_fail2ban.sh"
source_guard "./func/cdi_4400_hardening/4430_installation_skel.sh" source_guard "./func/cdi_4400_hardening/4430_hardening_files.sh"
source_guard "./func/cdi_4400_hardening/4435_hardening_fail2ban.sh" source_guard "./func/cdi_4400_hardening/4440_hardening_haveged.sh"
source_guard "./func/cdi_4400_hardening/4440_hardening_files.sh" source_guard "./func/cdi_4400_hardening/4450_hardening_memory.sh"
source_guard "./func/cdi_4400_hardening/4450_hardening_haveged.sh" source_guard "./func/cdi_4400_hardening/4460_hardening_openssl.sh"
source_guard "./func/cdi_4400_hardening/4460_hardening_memory.sh" source_guard "./func/cdi_4400_hardening/4470_hardening_ufw.sh"
### cdi_4500_user ### cdi_4500_user
source_guard "./func/cdi_4500_user/4500_installation_accounts.sh" source_guard "./func/cdi_4500_user/4500_accounts_preparation.sh"
source_guard "./func/cdi_4500_user/4510_accounts_hardening.sh"
source_guard "./func/cdi_4500_user/4520_accounts_setup.sh"
### cdi_4600_verification ### cdi_4600_verification
#source_guard "./func/cdi_4600_verification/4610_finalize_system.sh" #source_guard "./func/cdi_4600_verification/4610_finalize_system.sh"

11
var/global.var.sh
View File

@@ -42,7 +42,7 @@ declare -grx LOG_NIC="${DIR_LOG}/ciss_debian_installer_$$_nic.log"
declare -grx LOG_UID="${DIR_LOG}/ciss_debian_installer_$$_uuid.log" declare -grx LOG_UID="${DIR_LOG}/ciss_debian_installer_$$_uuid.log"
declare -grx LOG_DBS="${DIR_LOG}/ciss_debian_installer_$$_debootstrap.log" declare -grx LOG_DBS="${DIR_LOG}/ciss_debian_installer_$$_debootstrap.log"
### Initialize variable of imported and cleaned 'YAML' -> 'BASH-variable'-file. ### Initialize the variable of imported and cleaned 'YAML' -> 'BASH-variable'-file.
declare -grx VAR_PRESEED="${DIR_TMP}/combined.var" declare -grx VAR_PRESEED="${DIR_TMP}/combined.var"
declare -grx VAR_SETUP_CONF="${DIR_CNF}/preseed.yaml" declare -grx VAR_SETUP_CONF="${DIR_CNF}/preseed.yaml"
declare -grx VAR_SETUP_PART="${DIR_CNF}/partitioning.yaml" declare -grx VAR_SETUP_PART="${DIR_CNF}/partitioning.yaml"
@@ -70,4 +70,13 @@ declare -gx VAR_KERNEL=""
### 4240_update_grub_password.sh ### 4240_update_grub_password.sh
declare -gx VAR_GRUB_PASSWORD="false" declare -gx VAR_GRUB_PASSWORD="false"
### 4310_dropbear_build.sh
declare -gx VAR_DROPBEAR=""
### 4330_installation_ssh.sh
declare -gx VAR_SSH_PORT=""
### 4470_hardening_ufw.sh
declare -gx VAR_UFW_OUT="deny"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh