msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 37s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-07-23 23:00:38 +02:00
parent 4d204071b2
commit 62db940cec
10 changed files with 394 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@@ -11,8 +11,8 @@ include_toc: true
[![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html) [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
&nbsp; &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.23.8-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.2-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.1.2-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.1.4-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/) &nbsp; [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/) &nbsp;

36
func/system/4095_setup_skel.sh Normal file
View File

@@ -0,0 +1,36 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Prepare '/etc/skel'-Directory.
# Globals:
# TARGET
# Arguments:
# None
# Returns:
# 0: on success
#######################################
setup_skel() {
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/etc/skel/.bashrc" "${TARGET}/etc/skel/"
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/etc/skel/.zshrc" "${TARGET}/etc/skel/"
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/root/.ciss/alias" "${TARGET}/etc/skel/.ciss/"
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/root/.ciss/clean_logout.sh" "${TARGET}/etc/skel/.ciss/"
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/root/.ciss/shortcuts" "${TARGET}/etc/skel/.ciss/"
# In order to be able to copy/paste from vim, one needs to create a '.vimrc' in every home directory with the following content:
echo 'set clipboard=unnamed' >| "${TARGET}/etc/skel/.vimrc"
chmod 0644 "${TARGET}/etc/skel/.vimrc"
do_log "info" "true" "Installed: '/etc/skel'-Files."
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

11
func/system/4200_setup_accounts.sh
View File

@@ -75,6 +75,17 @@ setup_accounts() {
fi fi
fi fi
install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/etc/skel/.bashrc" "${TARGET}/root/"
install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/etc/skel/.zshrc" "${TARGET}/root/"
install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/root/.ciss/alias" "${TARGET}/root/.ciss/"
install -D -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/root/.ciss/clean_logout.sh" "${TARGET}/root/.ciss/"
install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/root/.ciss/shortcuts" "${TARGET}/root/.ciss/"
# To be able to copy/paste from vim, one needs to create a '.vimrc' with the following content:
echo 'set clipboard=unnamed' >| "${TARGET}/root/.vimrc"
chmod 0600 "${TARGET}/root/.vimrc"
do_log "info" "true" "User: 'root' updated."
### Install all user accounts. ### Install all user accounts.
for ((i = 0; i <= VAR_USER_MAX; i++)); do for ((i = 0; i <= VAR_USER_MAX; i++)); do
tmp_username="user_user${i}_name" tmp_username="user_user${i}_name"

103
includes/etc/skel/.bashrc Normal file
View File

@@ -0,0 +1,103 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
[[ $- != *i* ]] && return
# shellcheck disable=SC2312
if [[ "$(id -u)" -eq 0 ]]; then
umask 0022
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
else
umask 0077
PATH="/usr/local/bin:/usr/bin:/bin"
fi
export PATH
trap ' "${SHELL}" "${HOME}/.ciss/clean_logout.sh" ' 0
. "${HOME}/.ciss/alias"
. "${HOME}/.ciss/f2bchk.sh"
. "${HOME}/.ciss/shortcuts"
. "${HOME}/.ciss/scan_libwrap"
### Preferred editor for local and remote sessions.
export EDITOR="nano"
### History-Settings
# -'ignoreboth' Do not put duplicate lines or lines starting with space in the history.
# -'erasedups' Causes all previous lines matching the current line to be removed from the history list before that line is saved.
export HISTCONTROL="erasedups"
# The name of the file in which command history is saved. The default value is ~/.bash_history. If unset, the command history is
# not saved when a shell exits.
export HISTFILE=~/.bash_history
# The maximum number of lines contained in the history file.
export HISTFILESIZE="16384"
# The number of commands to remember in the command history. If the value is 0, commands are not saved in the history list.
# Numeric values less than zero result in every command being saved on the history list (there is no limit).
export HISTSIZE="16384"
# If this variable is set, time stamps are written to the history file, so they may be preserved across shell sessions.
export HISTTIMEFORMAT='%F %T '
# Check the window size after each command and, if necessary, update the values of "LINES" and "COLUMNS".
shopt -s checkwinsize
# Append to the history file, don't overwrite it.
shopt -s histappend
# If set, the pattern "**" used in a pathname expansion context will match all files and zero or more directories and subdirectories.
shopt -s globstar
### Define colors for bash prompt.
export CRED='\033[1;91m'
export CGRE='\033[1;92m'
export CYEL='\033[1;93m'
export CBLU='\033[1;94m'
export CMAG='\033[1;95m'
export CCYA='\033[1;96m'
export CWHI='\033[1;97m'
export CRES='\033[0m'
export NL='\n'
### Define color prompt incl. 'Exit Code' feedback.
export PS1="\
\[\033[1;91m\]\d\[\033[0m\]|\
\[\033[1;91m\]\u\[\033[0m\]@\
\[\033[1;95m\]\h\[\033[0m\]:\
\[\033[1;96m\]\w\[\033[0m\]/>>\
\$(if [[ \$? -eq 0 ]]; then \
echo -e \"\[\033[1;92m\]\$?\[\033[0m\]\"; \
else \
echo -e \"\[\033[1;91m\]\$?\[\033[0m\]\"; \
fi)\
\$(if [[ \$(id -u) -eq 0 ]]; then echo -e \" \[\033[1;91m\]#\[\033[0m\] \"; else echo -e \" \[\033[1;92m\]\\\$\[\033[0m\] \"; fi)"
### Overwrite Protection.
set -o noclobber
alias cp="cp -iv"
alias mv='mv -iv'
alias rm='rm -iv'
### Welcome message after login.
printf "\n"
printf "\e[91m🔐 Coresecret Channel Established. \e[0m\n"
printf "\e[92m✅ Welcome back\e[0m"; printf "\e[95m '%s' \e[0m" "${USER}"; printf "\e[92m! Type\e[0m"; printf "\e[95m 'celp'\e[0m"; printf "\e[92m for shortcuts. \e[0m\n"
printf "\n"
printf "\n"
#printf "\n"
#printf "%s🔐 Coresecret Channel Established. %s%s" "${CRED}" "${CRES}" "${NL}"
#printf "%s✅ Welcome back %s " "${CGRE}" "${CRES}"
#printf "%s'%s'%s" "${CMAG}" "${USER}" "${CRES}"
#printf "%s! Type%s " "${CGRE}" "${CRES}"
#printf "%s'celp'%s " "${CMAG}" "${CRES}"
#printf "%sfor shortcuts. %s%s" "${CGRE}" "${CRES}" "${NL}"
#printf "\n"
#printf "\n"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

178
includes/etc/skel/.zshrc Normal file
View File

@@ -0,0 +1,178 @@
#!/bin/zsh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
[[ $- != *i* ]] && return
# shellcheck disable=SC2312
if [[ "$(id -u)" -eq 0 ]]; then
umask 0022
# If you come from bash, you might have to change your $PATH.
PATH="${HOME}/bin:${HOME}/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
else
umask 0077
# If you come from bash, you might have to change your $PATH.
PATH="${HOME}/bin:${HOME}/.local/bin:/usr/local/bin:/usr/bin:/bin"
fi
export PATH
### Path to your Oh My Zsh installation.
export ZSH="${HOME}/.oh-my-zsh"
# Set the name of the theme to load --- if set to "random", it will load a random theme each time Oh My Zsh is loaded, in which
# case, to know which specific one was loaded, run: echo $RANDOM_THEME. See https://github.com/ohmyzsh/ohmyzsh/wiki/Themes
export ZSH_THEME="robbyrussell"
# Set the list of themes to pick from when loading at random Setting this variable when ZSH_THEME=random will cause zsh to load
# a theme from this variable instead of looking in $ZSH/themes/. If set to an empty array, this variable will have no effect.
# ZSH_THEME_RANDOM_CANDIDATES=( "robbyrussell" "agnoster" )
# Uncomment the following line to use case-sensitive completion.
# CASE_SENSITIVE="true"
# Uncomment the following line to use hyphen-insensitive completion. Case-sensitive completion must be off. _ and - will be
# interchangeable.
# HYPHEN_INSENSITIVE="true"
# Uncomment one of the following lines to change the auto-update behavior
# zstyle ':omz:update' mode disabled # disable automatic updates
# zstyle ':omz:update' mode auto # update automatically without asking
# zstyle ':omz:update' mode reminder # just remind me to update when it's time
# Uncomment the following line to change how often to auto-update (in days).
# zstyle ':omz:update' frequency 13
# Uncomment the following line if pasting URLs and other text is messed up.
# DISABLE_MAGIC_FUNCTIONS="true"
# Uncomment the following line to disable colors in ls.
# DISABLE_LS_COLORS="true"
# Uncomment the following line to disable auto-setting terminal title.
# DISABLE_AUTO_TITLE="true"
# Uncomment the following line to enable command autocorrection.
# ENABLE_CORRECTION="true"
# Uncomment the following line to display red dots whilst waiting for completion. You can also set it to another string to have
# that is shown instead of the default red dots.
# e.g., COMPLETION_WAITING_DOTS="%F{yellow}waiting...%f"
# Caution: this setting can cause issues with multiline prompts in zsh < 5.7.1 (see #5765)
# COMPLETION_WAITING_DOTS="true"
# Uncomment the following line if you want to disable marking untracked files under VCS as dirty. This makes repository status
# check for large repositories much, much faster.
# DISABLE_UNTRACKED_FILES_DIRTY="true"
# Uncomment the following line if you want to change the command execution time stamp shown in the history command output.
# You can set one of the optional three formats:
# "mm/dd/yyyy"|"dd.mm.yyyy"|"yyyy-mm-dd"
# or set a custom format using the strftime function format specifications, see 'man strftime' for details.
export HIST_STAMPS="yyyy-mm-dd"
# Would you like to use another custom folder than $ZSH/custom?
# ZSH_CUSTOM=/path/to/new-custom-folder
# Which plugins would you like to load?
# Standard plugins can be found in $ZSH/plugins/
# Custom plugins may be added to $ZSH_CUSTOM/plugins/
# Example format: plugins=(rails git textmate ruby lighthouse)
# Add wisely, as too many plugins slow down shell startup.
export plugins=(git zsh-syntax-highlighting zsh-autosuggestions)
source ${ZSH}/oh-my-zsh.sh
# User configuration
# export MANPATH="/usr/local/man:{$MANPATH}"
# You may need to manually set your language environment
# export LANG=en_US.UTF-8
# Preferred editor for local and remote sessions
# if [[ -n $SSH_CONNECTION ]]; then
# export EDITOR='vim'
# else
# export EDITOR='nvim'
# fi
# Compilation flags
# export ARCHFLAGS="-arch $(uname -m)"
# Set personal aliases, overriding those provided by Oh My Zsh libs,
# plugins, and themes. Aliases can be placed here, though Oh My Zsh
# users are encouraged to define aliases within a top-level file in
# the $ZSH_CUSTOM folder, with .zsh extension. Examples:
# - $ZSH_CUSTOM/aliases.zsh
# - $ZSH_CUSTOM/macos.zsh
# For a full list of active aliases, run `alias`.
#
# Example aliases
# alias zshconfig="mate ~/.zshrc"
# alias ohmyzsh="mate ~/.oh-my-zsh"
### Added by CISS.debian.hardening ###
trap ' "${SHELL}" "${HOME}/.ciss/clean_logout.sh" ' 0
. "${HOME}/.ciss/alias"
. "${HOME}/.ciss/shortcuts"
. "${HOME}/.ciss/scan_libwrap"
. /usr/share/doc/fzf/examples/key-bindings.zsh
. /usr/share/doc/fzf/examples/completion.zsh
### Define colors for bash prompt
export CRED='\033[1;91m'
export CGRE='\033[1;92m'
export CYEL='\033[1;93m'
export CBLU='\033[1;94m'
export CMAG='\033[1;95m'
export CCYA='\033[1;96m'
export CWHI='\033[1;97m'
export CRES='\033[0m'
export NL='\n'
### Overwrite Protection
set -o noclobber
alias cp="cp -iv"
alias mv='mv -iv'
alias rm='rm -iv'
### Preferred editor for local and remote sessions
export EDITOR="nano"
### History
export HISTFILE="${HOME}/.zsh_history"
export HISTSIZE=4294967296
export SAVEHIST=4294967296
setopt EXTENDED_HISTORY
### Define Users
if [ "${UID}" -eq 0 ]; then
export USER_COLOR="%F{001}"
else
export USER_COLOR="%F{002}"
fi
### CISS.debian.hardening Prompt
PROMPT='${USER_COLOR}%D%f|${USER_COLOR}%n%f@%F{005}%M%f:%F{006}%d%f/>>%(?.%F{002}%?.%F{001}%?)%f|~%#> '
RPROMPT='%h|[${USER_COLOR}%*%f]'
### Welcome message after login.
printf "\n"
printf "%s🔐 Coresecret Channel Established. %s%s" "${CRED}" "${CRES}" "${NL}"
printf "%s✅ Welcome back %s " "${CGRE}" "${CRES}"
printf "%s'%s'%s" "${CMAG}" "${USER}" "${CRES}"
printf "%s! Type%s " "${CGRE}" "${CRES}"
printf "%s'celp'%s " "${CMAG}" "${CRES}"
printf "%sfor shortcuts. %s%s" "${CGRE}" "${CRES}" "${NL}"
printf "\n"
printf "\n"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

28
includes/root/.ciss/alias
View File

@@ -119,6 +119,7 @@ genpasswd() {
done done
declare passwd declare passwd
# shellcheck disable=SC2312
passwd=$(tr -dc 'A-Za-z0-9_' < /dev/random | head -c "${length}") passwd=$(tr -dc 'A-Za-z0-9_' < /dev/random | head -c "${length}")
if [[ ${usebase64} -eq 1 ]]; then if [[ ${usebase64} -eq 1 ]]; then
@@ -136,6 +137,7 @@ genpasswd() {
# shellcheck disable=SC2317 # shellcheck disable=SC2317
genpasswdhash() { genpasswdhash() {
declare salt declare salt
# shellcheck disable=SC2312
salt=$(tr -dc 'A-Za-z0-9' < /dev/random | head -c 16) salt=$(tr -dc 'A-Za-z0-9' < /dev/random | head -c 16)
mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608 mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608
} }
@@ -146,11 +148,16 @@ genpasswdhash() {
# None # None
####################################### #######################################
genstring() { genstring() {
# shellcheck disable=SC2312
(haveged -n 1000 -f - 2>/dev/null | tr -cd '[:graph:]' | fold -w 16 && echo ) | head (haveged -n 1000 -f - 2>/dev/null | tr -cd '[:graph:]' | fold -w 16 && echo ) | head
} }
####################################### #######################################
# Wrapper for secure curl # Wrapper for secure curl
# Globals:
# CRED
# CRES
# NL
# Arguments: # Arguments:
# 1: URL from which to download a specific file # 1: URL from which to download a specific file
# 2: /path/to/file to be saved to # 2: /path/to/file to be saved to
@@ -161,7 +168,7 @@ genstring() {
####################################### #######################################
scurl() { scurl() {
if [[ $# -ne 2 ]]; then if [[ $# -ne 2 ]]; then
printf "\e[91m❌ Error: Usage: scurl <URL> <path/to/file>.\e[0m\n" >&2 printf "%s❌ Error: Usage: scurl <URL> <path/to/file>. %s%s" "${CRED}" "${CRES}" "${NL}" >&2
return 1 return 1
fi fi
declare url="$1" declare url="$1"
@@ -173,7 +180,7 @@ scurl() {
-o "${output_path}" \ -o "${output_path}" \
"${url}" "${url}"
then then
printf "\e[91m❌ Error: Download failed for URL: '%s'.\e[0m\n" "${url}" >&2 printf "%s❌ Error: Download failed for URL: '%s'. %s%s" "${CRED}" "${url}" "${CRES}" "${NL}" >&2
return 2 return 2
fi fi
return 0 return 0
@@ -181,6 +188,10 @@ scurl() {
####################################### #######################################
# Wrapper for secure wget # Wrapper for secure wget
# Globals:
# CRED
# CRES
# NL
# Arguments: # Arguments:
# 1: URL from which to download a specific file # 1: URL from which to download a specific file
# 2: /path/to/file to be saved to # 2: /path/to/file to be saved to
@@ -191,7 +202,7 @@ scurl() {
####################################### #######################################
swget() { swget() {
if [[ $# -ne 2 ]]; then if [[ $# -ne 2 ]]; then
printf "\e[91m❌ Error: Usage: swget <URL> <path/to/file>.\e[0m\n" >&2 printf "%s❌ Error: Usage: swget <URL> <path/to/file>. %s%s" "${CRED}" "${CRES}" "${NL}" >&2
return 1 return 1
fi fi
declare url="$1" declare url="$1"
@@ -204,21 +215,22 @@ swget() {
-qO "${output_path}" \ -qO "${output_path}" \
"${url}" "${url}"
then then
printf "\e[91m❌ Error: Download failed for URL: '%s'.\e[0m\n" "$url" >&2 printf "%s❌ Error: Download failed for URL: '%s'. %s%s" "${CRED}" "${url}" "${CRES}" "${NL}" >&2
return 2 return 2
fi fi
return 0 return 0
} }
####################################### #######################################
# Wrapper for loading CISS.2025 hardened Kernel Parameters # Wrapper for loading CISS.2025 hardened Kernel Parameters.
# Arguments: # Arguments:
# None # None
####################################### #######################################
sysp() { sysp() {
sysctl -p /etc/sysctl.d/99_local.hardened sysctl -p /etc/sysctl.d/99_local.hardened
# sleep 1 # sleep 1
sysctl -a | grep -E 'kernel|vm|net' > /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log # shellcheck disable=SC2312
sysctl -a | grep -E 'kernel|vm|net' >| /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
} }
####################################### #######################################
@@ -238,9 +250,10 @@ trel() {
####################################### #######################################
whichpackage() { whichpackage() {
if ! command -v "$1" >/dev/null 2>&1; then if ! command -v "$1" >/dev/null 2>&1; then
printf 'Error: Program '%s' not found.\n' "$1" >&2 printf '%s❌ Error: Program '%s' not found. %s%s' "${CRED}" "$1" "${CRES}" "${NL}" >&2
exit 1 exit 1
fi fi
# shellcheck disable=SC2230,SC2312
dpkg -S "$(which "$1")" dpkg -S "$(which "$1")"
} }
@@ -252,6 +265,7 @@ whichpackage() {
# 3: Number of Entries (defaults 16) # 3: Number of Entries (defaults 16)
####################################### #######################################
whichused() { whichused() {
# shellcheck disable=SC2312
du -h --max-depth="${2:-1}" "${1:-/var}" | sort -hr | head -n "${3:-16}" du -h --max-depth="${2:-1}" "${1:-/var}" | sort -hr | head -n "${3:-16}"
} }
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
includes/root/.ciss/clean_logout.sh
View File

@@ -36,4 +36,6 @@ echo -e "\e[92m All done" "\e[95m'${USER}'" "\e[92m! \e[0m"
echo -e "\e[92m Close shell with 'ENTER' to exit" "\e[95m'${HOSTNAME}'" "\e[92m! \e[0m" echo -e "\e[92m Close shell with 'ENTER' to exit" "\e[95m'${HOSTNAME}'" "\e[92m! \e[0m"
# shellcheck disable=SC2162 # shellcheck disable=SC2162
read read
[[ -x /usr/bin/clear_console ]] && /usr/bin/clear_console -q
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

39
includes/root/.ciss/f2bchk.sh
View File

@@ -19,7 +19,10 @@ set -Ceuo pipefail
# --log=/var/log/ufw.log \ # --log=/var/log/ufw.log \
# --output=/tmp/f2bchk.log # --output=/tmp/f2bchk.log
# Globals: # Globals:
# None # CGRE
# CRED
# CRES
# NL
# Arguments: # Arguments:
# None # None
# Returns: # Returns:
@@ -27,7 +30,7 @@ set -Ceuo pipefail
# 1: In case of any errors # 1: In case of any errors
####################################### #######################################
f2bchk(){ f2bchk(){
# Declare default values (readonly) ### Declare default values (readonly)
declare -r DEFAULT_MODE="matched" declare -r DEFAULT_MODE="matched"
declare -r DEFAULT_FILTER="/etc/fail2ban/filter.d/ufw.aggressive.conf" declare -r DEFAULT_FILTER="/etc/fail2ban/filter.d/ufw.aggressive.conf"
declare -r DEFAULT_LOG="/var/log/ufw.log" declare -r DEFAULT_LOG="/var/log/ufw.log"
@@ -45,7 +48,7 @@ f2bchk(){
--log=*) log="${arg#--log=}";; --log=*) log="${arg#--log=}";;
--output=*) output="${arg#--output=}";; --output=*) output="${arg#--output=}";;
*) *)
printf "\e[31m[ERROR]\e[0m Unknown argument: %s\n" "${arg}" printf "%s[ERROR]%s Unknown argument: '%s' %s" "${CRED}" "${CRES}" "${arg}" "${CRED}"
return 1 return 1
;; ;;
esac esac
@@ -57,7 +60,7 @@ f2bchk(){
matched) flag="--print-all-matched"; suffix="all.matched";; matched) flag="--print-all-matched"; suffix="all.matched";;
missed) flag="--print-all-missed"; suffix="all.missed";; missed) flag="--print-all-missed"; suffix="all.missed";;
*) *)
printf "\e[31m[ERROR]\e[0m Invalid mode: %s\n" "${mode}" printf "%s[ERROR]%s Invalid mode: '%s' %s" "${CRED}" "${CRES}" "${mode}" "${NL}"
return 1 return 1
;; ;;
esac esac
@@ -67,24 +70,30 @@ f2bchk(){
filter_name="${filter_name%.conf}" filter_name="${filter_name%.conf}"
output="/tmp/${filter_name}.${suffix}.log" output="/tmp/${filter_name}.${suffix}.log"
fi fi
if [[ ! -r "${log}" ]]; then if [[ ! -r "${log}" ]]; then
printf "\e[31m[ERROR]\e[0m Log file '%s' not found or not readable.\n" "${log}" printf "%s[ERROR]%s Log file '%s' not found or not readable. %s" "${CRED}" "${CRES}" "${log}" "${NL}"
return 1
fi
if [[ ! -r "${filter}" ]]; then
printf "\e[31m[ERROR]\e[0m Filter file '%s' not found or not readable.\n" "${filter}"
return 1 return 1
fi fi
printf "\e[33m[INFO]\e[0m Running: fail2ban-regex %s %s %s\n" "${log}" "${filter}" "${flag}" if [[ ! -r "${filter}" ]]; then
if fail2ban-regex "${log}" "${filter}" "${flag}" >| "${output}"; then printf "%s[ERROR]%s Filter file '%s' not found or not readable. %s" "${CRED}" "${CRES}" "${filter}" "${NL}"
printf "\e[32m[SUCCESS]\e[0m Saved log to %s\n" "$output"
printf "You can view it with: cat %s\n" "$output"
else
printf "\e[31m[ERROR]\e[0m fail2ban-regex execution failed.\n"
return 1 return 1
fi fi
printf "%s[INFO]%s Running: fail2ban-regex '%s %s %s' %s" "${CGRE}" "${CRES}" "${log}" "${filter}" "${flag}" "${NL}"
if fail2ban-regex "${log}" "${filter}" "${flag}" >| "${output}"; then
printf "%s[SUCCESS]%s Saved log to: '%s' %s" "${CGRE}" "${CRES}" "${output}" "${NL}"
printf "You can view it with: cat %s%s" "${output}" "${NL}"
else
printf "%s[ERROR]%s fail2ban-regex execution failed. %s" "${CRED}" "${CRES}" "${NL}"
return 1
fi
exit 0 exit 0
} }
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

25
includes/root/.ciss/scan_libwrap
View File

@@ -12,31 +12,38 @@
####################################### #######################################
# Scanner for 'libwrap' usage. # Scanner for 'libwrap' usage.
# Globals:
# CGRE
# CRES
# NL
# Arguments: # Arguments:
# None # None
####################################### #######################################
scanlw() { scanlw() {
printf "\e[92m🔍 Scanning all running processes for 'libwrap' usage ... \e[0m\n" printf "%s🔍 Scanning all running processes for 'libwrap' usage ... %s%s" "${CGRE}" "${CRES}" "${NL}"
printf "\n" printf "\n"
# Collect binaries from all running PIDs ### Collect binaries from all running PIDs.
declare pid exe_path comm user declare pid exe_path comm user
for pid in $(ps -e -o pid=); do for pid in $(ps -e -o pid=); do
exe_path=$(readlink -f "/proc/${pid}/exe" 2>/dev/null) exe_path=$(readlink -f "/proc/${pid}/exe" 2>/dev/null)
# Skip if not a regular executable ### Skip if not a regular executable.
[[ -x "${exe_path}" ]] || continue [[ -x "${exe_path}" ]] || continue
# Check if the binary is linked with libwrap ### Check if the binary is linked with libwrap.
if ldd "$exe_path" 2>/dev/null | grep -q "libwrap"; then # shellcheck disable=SC2312
comm=$(ps -p "$pid" -o comm=) if ldd "${exe_path}" 2>/dev/null | grep -q "libwrap"; then
user=$(ps -p "$pid" -o user=) comm=$(ps -p "${pid}" -o comm=)
printf "\e[92m✅ PID: %s (%s) [User: %s] is linked with 'libwrap.so'. \e[0m\n" "${pid}" "${comm}" "${user}" user=$(ps -p "${pid}" -o user=)
printf "%s✅ PID: %s (%s) [User: %s] is linked with 'libwrap.so'. %s%s" "${CGRE}" "${pid}" "${comm}" "${user}" "${CRES}" "${NL}"
fi fi
done done
printf "\n" printf "\n"
printf "\e[92m✅ Scan complete. \e[0m\n" printf "%s✅ Scan complete. %s%s" "${CGRE}" "${CRES}" "${NL}"
exit 0 exit 0
} }
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
includes/root/.ciss/shortcuts
View File

@@ -104,7 +104,7 @@ celp() {
declare i=0 declare i=0
declare entry declare entry
for entry in "${arr[@]}"; do for entry in "${arr[@]}"; do
# Print entry left-aligned in fixed width, colored ### Print entry left-aligned in fixed width, colored.
printf "${CMAG}%-${col_width}s${CRES}" "${entry}" printf "${CMAG}%-${col_width}s${CRES}" "${entry}"
((i++)) ((i++))
if ((i % cols == 0)); then if ((i % cols == 0)); then