msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 2m1s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-10-17 06:42:14 +01:00
parent bedd0d3fa5
commit 7d599e8463
71 changed files with 2203 additions and 548 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
func/cdi_4000_debootstrap/4010_prepare_mounts.sh
View File

@@ -64,7 +64,6 @@ prepare_mounts() {
done
for var_path in "${!HMP_SPECIAL_MOUNTS[@]}"; do
IFS=" " read -r var_fs var_src var_opts <<< "${HMP_SPECIAL_MOUNTS[${var_path}]}"
@@ -87,7 +86,6 @@ prepare_mounts() {
done
if [[ "${VAR_NEED_RUN_IN_TARGET:-false}" == "true" ]]; then
mkdir -p "${var_target}/run"
@@ -103,7 +101,6 @@ prepare_mounts() {
fi
if ! chroot_exec "${var_target}" mkdir -p /etc/systemd/system/multi-user.target.wants; then
do_log "emergency" "file_only" "4010() Command: [chroot_exec ${var_target} mkdir -p /etc/systemd/system/multi-user.target.wants] failed."
@@ -115,8 +112,6 @@ prepare_mounts() {
mkdir -p "${var_target}/media/cdrom0"
# shellcheck disable=SC2034
if [[ "${VAR_RUN_RECOVERY}" == "false" ]]; then
declare -gx VAR_CHROOT_ACTIVATED="system"

60
func/cdi_4000_debootstrap/4011_prepare_xdg_root.sh Normal file
View File

@@ -0,0 +1,60 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Prepare '/root' for XDG framework.
# Globals:
# RECOVERY
# TARGET
# VAR_RUN_RECOVERY
# VAR_SETUP_PATH
# Arguments:
# None
# Returns:
# 0: on success
#######################################
prepare_xdg_root() {
### Declare Arrays, HashMaps, and Variables.
declare var_target="${TARGET}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
install -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/profile.d/ciss-xdg.sh" "${var_target}/etc/profile.d/"
install -m 0444 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/default/ciss-xdg-profile" "${var_target}/etc/default/"
install -m 0400 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/root/ciss_xdg_tmp.sh" "${var_target}/etc/root/"
# shellcheck disable=SC2016
chroot_script "${var_target}" '
install -d -m 0755 /etc/xdg
### Create canonical directories.
_xdg_umask="$(umask)"
umask 0077
[[ -d "${XDG_CONFIG_HOME}" ]] || install -d -m 0700 -- "${XDG_CONFIG_HOME}"
[[ -d "${XDG_DATA_HOME}" ]] || install -d -m 0700 -- "${XDG_DATA_HOME}"
[[ -d "${XDG_CACHE_HOME}" ]] || install -d -m 0700 -- "${XDG_CACHE_HOME}"
[[ -d "${XDG_STATE_HOME}" ]] || install -d -m 0700 -- "${XDG_STATE_HOME}"
[[ -d "${XDG_STATE_HOME}/bash" ]] || install -d -m 0700 -- "${XDG_STATE_HOME}/bash"
[[ -d "${XDG_STATE_HOME}/less" ]] || install -d -m 0700 -- "${XDG_STATE_HOME}/less"
umask "$_xdg_umask"
unset _xdg_umask
'
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f prepare_xdg_root
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

3
func/cdi_4100_base/4110_update_sources.sh
View File

@@ -40,6 +40,7 @@ update_sources() {
### Update generated sources.
# shellcheck disable=SC2312
chroot_script "${var_target}" "
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get update 2>&1 | tee -a ${var_logfile}
"
do_log "info" "file_only" "4110() Sources lists: updated successfully."
@@ -50,6 +51,7 @@ update_sources() {
chroot_script "${var_target}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
"
do_log "info" "file_only" "4110() The update policy was set at installation time to: '${apt_updates_policy}'."
@@ -58,6 +60,7 @@ update_sources() {
chroot_script "${var_target}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
"

3
func/cdi_4100_base/4120_installation_kernel.sh
View File

@@ -36,6 +36,7 @@ installation_kernel() {
chroot_script "${TARGET}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get install -y --no-install-recommends --no-install-suggests ${VAR_KERNEL} initramfs-tools 2>&1 | tee -a ${var_logfile}
"
@@ -47,6 +48,7 @@ installation_kernel() {
chroot_script "${TARGET}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get install -y --no-install-recommends --no-install-suggests ${image} initramfs-tools 2>&1 | tee -a ${var_logfile}
"
@@ -55,7 +57,6 @@ installation_kernel() {
guard_dir && return 0
fi
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034

3
func/cdi_4100_base/4130_installation_toolset.sh
View File

@@ -49,8 +49,8 @@ installation_toolset() {
[awk]="gawk"
[gdisk]="gdisk"
[gnupg]="gnupg"
[haveged]="haveged"
[update-initramfs]="initramfs-tools"
[jitterentropy-rngd]="jitterentropy-rngd"
[jq]="jq"
[loadkeys]="kbd"
[setfont]="kbd"
@@ -96,6 +96,7 @@ installation_toolset() {
chroot_script "${TARGET}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get install -y --no-install-recommends --no-install-suggests ${ary_unique_pkgs[*]} 2>&1 | tee -a ${var_logfile}
"

1
func/cdi_4100_base/4131_installation_systemd.sh
View File

@@ -35,6 +35,7 @@ installation_systemd() {
chroot_script "${TARGET}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get install -y --no-install-recommends --no-install-suggests systemd systemd-sysv dbus 2>&1 | tee -a ${var_logfile}
"

3
func/cdi_4100_base/4132_installation_machineid.sh
View File

@@ -35,4 +35,7 @@ installation_machineid() {
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f installation_machineid
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
func/cdi_4100_base/4133_installation_masking.sh
View File

@@ -28,7 +28,7 @@ installation_masking() {
do_log "info" "file_only" "4133() Masked: [ctrl-alt-del.target sleep.target suspend.target hibernate.target hybrid-sleep.target]"
chroot_script "${TARGET}" "
systemctl mask plymouth-start.service plymouth-quit.service plymouth-quit-wait.service plymouth-read-write.service
systemctl mask plymouth-start.service plymouth-quit.service plymouth-quit-wait.service plymouth-read-write.service
"
do_log "info" "file_only" "4133() Masked: [plymouth-start.service plymouth-quit.service plymouth-quit-wait.service plymouth-read-write.service]"

2
func/cdi_4100_base/4140_installation_microcode.sh
View File

@@ -56,6 +56,7 @@ installation_microcode() {
chroot_script "${TARGET}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get install -y --no-install-recommends --no-install-suggests ${var_microcode_pkgs} 2>&1 | tee -a ${var_logfile}
"
@@ -63,6 +64,7 @@ installation_microcode() {
chroot_script "${TARGET}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get install -y --no-install-recommends --no-install-suggests --only-upgrade ${var_microcode_pkgs} 2>&1 | tee -a ${var_logfile}
"

1
func/cdi_4100_base/4145_installation_firmware.sh
View File

@@ -294,6 +294,7 @@ installation_firmware() {
chroot_script "${TARGET}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get install -y --no-install-recommends --no-install-suggests ${ary_pkgs_resolved[*]} 2>&1 | tee -a ${var_logfile}
"

4
func/cdi_4100_base/4150_installation_chrony.sh
View File

@@ -49,6 +49,7 @@ installation_chrony() {
chroot_script "${TARGET}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get install -y --no-install-recommends --no-install-suggests chrony 2>&1 | tee -a ${var_logfile}
"
@@ -78,4 +79,7 @@ installation_chrony() {
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f installation_chrony
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

1
func/cdi_4100_base/4160_installation_eza.sh
View File

@@ -49,6 +49,7 @@ EOF
chroot_script "${TARGET}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get update
apt-get install -y --no-install-recommends --no-install-suggests eza 2>&1 | tee -a ${var_logfile}
"

1
func/cdi_4100_base/4170_installation_lynis.sh
View File

@@ -49,6 +49,7 @@ EOF
chroot_script "${TARGET}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get update
apt-get install -y --no-install-recommends --no-install-suggests lynis 2>&1 | tee -a ${var_logfile}
"

1
func/cdi_4200_boot/4220_installation_cryptsetup.sh
View File

@@ -32,6 +32,7 @@ installation_cryptsetup() {
chroot_script "${TARGET}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get install -y --no-install-recommends --no-install-suggests cryptsetup cryptsetup-initramfs 2>&1 | tee -a ${var_logfile}
"

3
func/cdi_4200_boot/4230_installation_grub.sh
View File

@@ -78,6 +78,7 @@ installation_grub() {
amd64)
chroot_script "${TARGET}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get install -y --no-install-recommends grub2-common grub-efi-amd64 grub-efi-amd64-bin 2>&1 | tee -a ${var_logfile}
"
;;
@@ -85,6 +86,7 @@ installation_grub() {
arm64)
chroot_script "${TARGET}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get install -y --no-install-recommends grub2-common grub-efi-arm64 grub-efi-arm64-bin 2>&1 | tee -a ${var_logfile}
"
;;
@@ -99,6 +101,7 @@ installation_grub() {
chroot_script "${TARGET}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get install -y --no-install-recommends grub2-common grub-pc grub-pc-bin 2>&1 | tee -a ${var_logfile}
"

6
func/cdi_4200_boot/4240_update_grub_password.sh
View File

@@ -50,6 +50,9 @@ update_grub_password() {
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f update_grub_password
#######################################
# Generate PBKDF2 password hash for GRUB.
@@ -79,4 +82,7 @@ EOF
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f generate_grub_password_pbkdf2
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

3
func/cdi_4300_network/4300_installation_network.sh
View File

@@ -45,16 +45,19 @@ installation_network() {
chroot_script "${TARGET}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get purge -y dhcpcd isc-dhcp-client 2>&1 | tee -a ${var_logfile}
"
chroot_script "${TARGET}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get install -y --no-install-suggests dhcpcd-base ifupdown 2>&1 | tee -a ${var_logfile}
"
chroot_script "${TARGET}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
systemctl disable systemd-networkd NetworkManager 2>/dev/null | tee -a ${var_logfile} || true
"

1
func/cdi_4300_network/4305_installation_netsec.sh
View File

@@ -29,6 +29,7 @@ installation_netsec() {
chroot_script "${TARGET}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get install -y --no-install-suggests fail2ban ufw 2>&1 | tee -a ${var_logfile}
"

4
func/cdi_4300_network/4311_dropbear_initramfs.sh
View File

@@ -37,21 +37,25 @@ dropbear_initramfs() {
chroot_script "${var_target}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get install -y --no-install-recommends --no-install-suggests dropbear-initramfs dropbear-bin 2>&1 | tee -a ${var_logfile}
"
chroot_script "${var_target}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get purge -y dropbear dropbear-run || true
"
chroot_script "${var_target}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get install -y --no-install-recommends --no-install-suggests gpgv 2>&1 | tee -a ${var_logfile}
"
chroot_script "${var_target}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-mark hold dropbear dropbear-initramfs 2>&1 | tee -a ${var_logfile}
"

9
func/cdi_4300_network/4330_installation_ssh.sh
View File

@@ -38,13 +38,20 @@ installation_ssh() {
### Declare Arrays, HashMaps, and Variables.
declare -a ary_user=()
declare -i i=0
declare -r var_logfile="/root/.ciss/cdi/log/4330_installation_ssh.log"
declare var_auth="" var_name="" var_ca="" var_pub=""
declare var_target="${TARGET}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
chroot_exec "${var_target}" apt-get install -y --no-install-recommends --no-install-suggests ssh
chroot_logger "${var_target}${var_logfile}"
chroot_script "${var_target}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get install -y --no-install-recommends --no-install-suggests ssh 2>&1 | tee -a ${var_logfile}
"
mkdir -p "${var_target}/etc/systemd/system/ssh.service.d"

6
func/cdi_4400_hardening/4400_kernel_modules.sh
View File

@@ -49,6 +49,9 @@ EOF
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f kernel_modules
#######################################
# Blacklist some kind of potential hazardous modules via '/etc/modprobe.d/0000_ciss_debian_installer.conf'.
@@ -70,4 +73,7 @@ kernel_modprobe() {
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f kernel_modprobe
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

13
func/cdi_4400_hardening/4410_kernel_sysctl.sh
View File

@@ -13,7 +13,7 @@
guard_sourcing
#######################################
# Install Kernel Hardening-Presets '/etc/sysctl.d/99_local.hardened'.
# Install Kernel Hardening-Presets '/etc/sysctl.d/9999_ciss_debian_installer.hardened'.
# Globals:
# TARGET
# VAR_SETUP_PATH
@@ -23,13 +23,16 @@ guard_sourcing
# 0: on success
#######################################
kernel_sysctl() {
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/sysctl.d/99_local.hardened" \
"${TARGET}/etc/sysctl.d/99_local.hardened"
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/sysctl.d/9999_ciss_debian_installer.hardened" \
"${TARGET}/etc/sysctl.d/9999_ciss_debian_installer.hardened"
insert_comments "${TARGET}/etc/sysctl.d/99_local.hardened"
insert_comments "${TARGET}/etc/sysctl.d/9999_ciss_debian_installer.hardened"
do_log "info" "file_only" "4410() Installed: '/etc/sysctl.d/99_local.hardened'."
do_log "info" "file_only" "4410() Installed: '/etc/sysctl.d/9999_ciss_debian_installer.hardened'."
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f kernel_sysctl
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

3
func/cdi_4400_hardening/4440_hardening_haveged.sh
View File

@@ -38,4 +38,7 @@ EOF
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f hardening_haveged
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

43
func/cdi_4400_hardening/4442_hardening_jitterentropy.sh Normal file
View File

@@ -0,0 +1,43 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Hardening hardening_jitterentropy.
# Globals:
# TARGET
# Arguments:
# None
# Returns:
# 0: on success
#######################################
hardening_jitterentropy() {
declare var_target="${TARGET}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
mkdir -p "${var_target}/etc/systemd/system/jitterentropy-rngd.service.d"
cat << EOF >> "${var_target}/etc/systemd/system/jitterentropy-rngd.service.d/override.conf"
[Service]
ExecStart=
ExecStart=/usr/sbin/jitterentropy-rngd --sp800-90b --osr=7
EOF
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f hardening_jitterentropy
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

3
func/cdi_4400_hardening/4445_hardening_logrotate.sh
View File

@@ -73,4 +73,7 @@ EOF
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f hardening_logrotate
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

6
func/cdi_4400_hardening/4450_hardening_memory.sh
View File

@@ -102,6 +102,9 @@ EOF
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f hardening_memory
#######################################
# Ensure 'pam_limits.so' is activated in:
@@ -158,4 +161,7 @@ guard_pam_limits() {
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f guard_pam_limits
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

3
func/cdi_4400_hardening/4460_hardening_openssl.sh
View File

@@ -32,4 +32,7 @@ hardening_openssl() {
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f hardening_openssl
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

3
func/cdi_4400_hardening/4470_hardening_ufw.sh
View File

@@ -97,4 +97,7 @@ hardening_ufw() {
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f hardening_ufw
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

1
func/cdi_4400_hardening/4480_hardening_usb.sh
View File

@@ -30,6 +30,7 @@ hardening_usb() {
### Preparing USBGuard: see https://www.privacy-handbuch.de/handbuch_91a.htm
chroot_script "${TARGET}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get install -y --no-install-recommends --no-install-suggests usbguard 2>&1 | tee -a ${var_logfile}
touch /tmp/rules.conf

1
func/cdi_4400_hardening/4490_hardening_virus.sh
View File

@@ -29,6 +29,7 @@ hardening_virus() {
chroot_script "${TARGET}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get install -y --no-install-recommends --no-install-suggests rkhunter 2>&1 | tee -a ${var_logfile}
"

1
func/cdi_4500_user/4500_accounts_preparation.sh
View File

@@ -36,6 +36,7 @@ accounts_preparation() {
chroot_script "${var_target}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get install -y --no-install-recommends --no-install-suggests bash-completion fzf 2>&1 | tee -a ${var_logfile}
"

7
func/cdi_4500_user/4501_accounts_preparation_ciss.sh
View File

@@ -31,8 +31,8 @@ accounts_preparation_ciss() {
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.bashrc" "${var_target}/etc/skel/.bashrc"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${var_target}/etc/skel/.zshrc"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss.bashrc" "${var_target}/etc/skel/.bashrc"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss.zshrc" "${var_target}/etc/skel/.zshrc"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/theme_eza_ciss.yml" "${var_target}/etc/skel/.ciss/"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/alias" "${var_target}/etc/skel/.ciss/"
install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/check_chrony.sh" "${var_target}/etc/skel/.ciss/"
@@ -50,9 +50,6 @@ accounts_preparation_ciss() {
insert_comments "${var_target}/etc/skel/.ciss/scan_libwrap"
insert_comments "${var_target}/etc/skel/.ciss/shortcuts"
### In order to be able to copy/paste from vim, one needs to create a '.vimrc' in every home directory with the following content:
echo 'set clipboard=unnamed' >| "${var_target}/etc/skel/.vimrc"
chmod 0600 "${var_target}/etc/skel/.vimrc"
guard_dir && return 0
}
### Prevents accidental 'unset -f'.

19
func/cdi_4500_user/4502_accounts_preparation_physnet.sh
View File

@@ -30,6 +30,25 @@ accounts_preparation_physnet() {
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.physnet.bashrc" "${var_target}/etc/skel/.bashrc"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.physnet.zshrc" "${var_target}/etc/skel/.zshrc"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/theme_eza_ciss.yml" "${var_target}/etc/skel/.ciss/"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/alias" "${var_target}/etc/skel/.ciss/"
install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/check_chrony.sh" "${var_target}/etc/skel/.ciss/"
install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/clean_logout.sh" "${var_target}/etc/skel/.ciss/"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/f2bchk" "${var_target}/etc/skel/.ciss/"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/scan_libwrap" "${var_target}/etc/skel/.ciss/"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/shortcuts" "${var_target}/etc/skel/.ciss/"
insert_comments "${var_target}/etc/skel/.bashrc"
insert_comments "${var_target}/etc/skel/.zshrc"
insert_comments "${var_target}/etc/skel/.ciss/alias"
insert_comments "${var_target}/etc/skel/.ciss/check_chrony.sh"
insert_comments "${var_target}/etc/skel/.ciss/clean_logout.sh"
insert_comments "${var_target}/etc/skel/.ciss/f2bchk"
insert_comments "${var_target}/etc/skel/.ciss/scan_libwrap"
insert_comments "${var_target}/etc/skel/.ciss/shortcuts"
guard_dir && return 0
}
### Prevents accidental 'unset -f'.

3
func/cdi_4500_user/4510_accounts_hardening.sh
View File

@@ -39,13 +39,14 @@ accounts_hardening() {
ary_security_pkgs=( "libpam-google-authenticator" "wamerican" "wbritish" "wfrench" "wngerman" )
chroot_script "${var_target}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get install -y --no-install-recommends --no-install-suggests ${ary_security_pkgs[*]} 2>&1 | tee -a ${var_logfile}
"
### Preparing 2fa hardening.
install -d -m 0755 -o root -g root "${var_target}/etc/ciss"
touch "${var_target}/etc/ciss/2fa.users"
chmod 0640 "${var_target}/etc/ciss/2fa.users"
chmod 0600 "${var_target}/etc/ciss/2fa.users"
### Keep 'tty1' active, disable the rest.
# shellcheck disable=SC2016

883
func/cdi_4500_user/4520_accounts_setup.sh
View File

@@ -12,12 +12,6 @@
guard_sourcing
# TODO: sudo TOTP deactivation
# TODO: PAM Module
# TODO: Check Password activation
# TODO: Check expiration and other dates
# TODO: Logic
#######################################
# Updating user accounts.
# Globals:
@@ -59,6 +53,12 @@ accounts_setup() {
chroot_logger "${var_target}${var_logfile}"
### Update pam modules for 2fa.
write_pam_login "${var_target}"
write_pam_sshd "${var_target}"
write_pam_su "${var_target}"
write_pam_sudo "${var_target}"
### Prepare the '2fa'-seed variable.
read_totp_seed
do_log "debug" "file_only" "4520() Command: [read_totp_seed]"
@@ -66,56 +66,17 @@ accounts_setup() {
### 0) The 'root' account is generated via debootstrap by default.
### 1) Prepare the 'root' account.
install -d -m 0700 -o root -g root "${var_target}/root/.ssh"
install -m 0600 -o root -g root /dev/null "${var_target}/root/.ssh/authorized_keys"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.bashrc" "${var_target}/root/"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/theme_eza_ciss.yml" "${var_target}/root/.ciss/"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/alias" "${var_target}/root/.ciss/"
install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/check_chrony.sh" "${var_target}/root/.ciss/"
install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/clean_logout.sh" "${var_target}/root/.ciss/"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/f2bchk" "${var_target}/root/.ciss/"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/scan_libwrap" "${var_target}/root/.ciss/"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/shortcuts" "${var_target}/root/.ciss/"
case "${VAR_USER_ROOT_SPECIFIC}" in
if [[ "${user_root_shell}" == "/bin/zsh" ]]; then
"ciss" ) accounts_setup_ciss_root ;;
if [[ -x "${var_target}${user_root_shell}" ]]; then
"physnet") accounts_setup_physnet_root ;;
case "${VAR_USER_ROOT_SPECIFIC,,}" in
"none" ) do_log "info" "file_only" "4520() Account preparation [none] selected." ;;
"ciss")
zsh_omz_installer "root" "${var_target}"
mv "${var_target}/root/.zshrc" "${var_target}/root/.zshrc.bak"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${var_target}/root/"
;;
* ) do_log "warn" "file_only" "4520() Account preparation nothing selected. Keeping defaults." ;;
"physnet")
:
;;
"none"|*)
:
;;
esac
chroot_exec "${var_target}" chsh -s "${user_root_shell}" root
do_log "info" "file_only" "4520() Shell: '${user_root_shell}' used for: 'root'."
else
chroot_exec "${var_target}" chsh -s /bin/bash root
do_log "info" "file_only" "4520() Shell: '${user_root_shell}' not found for: 'root'. Using '/bin/bash' instead."
fi
fi
### To be able to copy/paste from vim, one needs to create a '.vimrc' with the following content:
echo 'set clipboard=unnamed' >| "${var_target}/root/.vimrc"
chmod 0600 "${var_target}/root/.vimrc"
do_log "info" "file_only" "4520() Skeleton: 'root' successfully generated."
esac
### 2) Check SSH access capabilities.
case "${user_root_authentication_access_ssh,,}" in
@@ -126,6 +87,7 @@ accounts_setup() {
;;
true)
### SSH Public Key per default, only.
sed -i -E "s|^[[:space:]]*PermitRootLogin[[:space:]]+.*$|$(printf '%-29s%s' 'PermitRootLogin' 'prohibit-password')|" "${var_target}/etc/ssh/sshd_config"
do_log "info" "file_only" "4520() User: 'root' SSH access: [PermitRootLogin prohibit-password]"
;;
@@ -141,54 +103,26 @@ accounts_setup() {
case "${user_root_authentication_access_tty,,}" in
false)
### 3) A) 1) Ensure the 'pam_access' line is not activated in '/etc/pam.d/login' and '/etc/pam.d/sshd' in parallel.
pam_access_sync_login_sshd
### 3) A) 2) Ensure 'pam_securetty' in the auth phase; requisite causes immediate fail for disallowed ttys.
chroot_stdin "${var_target}" "__payload__" <<'EOF'
export LC_ALL=C
if ! grep -Eq '^[[:space:]]*auth[[:space:]]+requisite[[:space:]]+pam_securetty[.]so([[:space:]]|$)' /etc/pam.d/login; then
tmp="$(mktemp /etc/pam.d/login.XXXXXX)"
awk '
BEGIN { ins=0 }
{
if (!ins && $0 ~ /^[[:space:]]*auth[[:space:]]+.*pam_unix[.]so/) {
print "auth requisite pam_securetty.so"
ins=1
}
print
}
END {
if (!ins) print "auth requisite pam_securetty.so"
}
' /etc/pam.d/login >| "${tmp}"
test -s "${tmp}"
mv -f "${tmp}" /etc/pam.d/login
rm -f -- "${tmp}"
fi
:
EOF
### 3) A) 3) Disallow all local access for root in '/etc/security/access.conf'.
### Disallow all local access for root in '/etc/security/access.conf'.
printf -- '-: root:ALL\n' >> "${var_target}/etc/security/access.conf"
do_log "info" "file_only" "4520() User: 'root' [disallow all local access in '/etc/security/access.conf']"
### 3) A) 4) Empty "/etc/securetty".
### Empty "/etc/securetty".
cat << 'EOF' >| "${var_target}/etc/securetty"
EOF
do_log "info" "file_only" "4520() User: 'root' tty access: [false]"
do_log "info" "file_only" "4520() User: 'root' [empty '/etc/securetty']"
;;
true)
### 3) B) 1) Allow local access for 'root' only on 'tty1' in '/etc/security/access.conf'.
### Allow local access for 'root' only on 'tty1' in '/etc/security/access.conf'.
printf -- "+: root:tty1 \n" >> "${var_target}/etc/security/access.conf"
do_log "info" "file_only" "4520() User: 'root' [allow local access on tty1 in '/etc/security/access.conf']"
### 3) B) 2) Allow local access for 'root' only on 'tty1' in '/etc/securetty'.
### Allow local access for 'root' only on 'tty1' in '/etc/securetty'.
cat << 'EOF' >| "${var_target}/etc/securetty"
tty1
EOF
do_log "info" "file_only" "4520() User: 'root' tty access: [true]"
do_log "info" "file_only" "4520() User: 'root' [tty1 in '/etc/securetty']."
;;
*)
@@ -199,6 +133,8 @@ EOF
esac
### 4) Check the password policy for the 'root' account.
chroot_script "${var_target}" "printf '%s:%s\n' 'root' '${user_root_password}' | /usr/sbin/chpasswd -e"
case "${user_root_authentication_password,,}" in
false)
@@ -207,8 +143,7 @@ EOF
;;
true)
chroot_script "${var_target}" "printf '%s:%s\n' 'root' '${var_password}' | /usr/sbin/chpasswd -e"
#chroot_script "${var_target}" "/usr/sbin/usermod -p '${user_root_password}' root"
chroot_script "${var_target}" "passwd -u root"
do_log "info" "file_only" "4520() User: 'root' password access: [true]"
;;
@@ -227,17 +162,16 @@ EOF
fi
### 6) Update the 'root' 'totp'-policy and write the '.google_authenticator'-file.
### 6) Update the 'root' 'totp'-policy-user file and write the '.google_authenticator'-file.
if [[ "${user_root_authentication_2fa_ssh}" == "true" || "${user_root_authentication_2fa_tty}" == "true" ]]; then
write_google_authenticator_file "root" "0" "0" "${var_target}"
printf '%s\n' "root" >> "${var_target}/etc/ciss/2fa.users"
fi
if [[ "${user_root_authentication_2fa_ssh}" == "true" ]]; then
pam_access_totp_enable "root" "sshd" "${var_target}"
var_ssh_totp_update="true"
cat << EOF >> "${var_target}/etc/ssh/sshd_config"
Match User root
@@ -246,8 +180,6 @@ Match User root
EOF
fi
[[ "${user_root_authentication_2fa_tty}" == "true" ]] && pam_access_totp_enable "root" "login" "${var_target}"
### 7) Install eza themes.
eza_installer "root" "${var_target}"
@@ -844,172 +776,6 @@ EOF
# shellcheck disable=SC2034
readonly -f hardening_sudo
#######################################
# Ensure the 'pam_access' line is not activated in '/etc/pam.d/login' and '/etc/pam.d/sshd' in parallel.
# MUST be executed inside chroot.
# Globals:
# None
# Arguments:
# None
# Returns:
# 0: on success
#######################################
pam_access_sync_login_sshd() {
### Declare Arrays, HashMaps, and Variables.
declare var_file_login="/etc/pam.d/login"
declare var_file_sshd="/etc/pam.d/sshd"
### Guard: The file must exist, no-op otherwise.
if [[ ! -f "${var_target}${var_file_login}" ]]; then
return 0
fi
### 1) If the 'pam_access' line is commented in '/etc/pam.d/login', uncomment exactly one occurrence.
chroot_stdin "${var_target}" "__payload__" <<'EOF'
tmp="$(mktemp /etc/pam.d/login.XXXXXX)"
export LC_ALL=C
awk '
BEGIN { done=0 }
{
if (!done) {
line=$0
sub(/^[[:space:]]*#+[[:space:]]*/, "", line)
if (line ~ /^[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access[.]so([[:space:]]|$)/) {
print line; done=1; next
}
}
print
}
' /etc/pam.d/login >| "${tmp}"
test -s "${tmp}"
mv -f "${tmp}" /etc/pam.d/login
rm -f "${tmp}" || :
:
EOF
### 2) If '/etc/pam.d/login' now has an active pam_access line, ensure '/etc/pam.d/sshd' pam_access line(s) are commented out.
### No-op if '/etc/pam.d/sshd' is absent.
[[ -f "${var_target}${var_file_sshd}" ]] || return 0
chroot_stdin "${var_target}" "__payload__" <<'EOF'
export LC_ALL=C
if grep -Eq '^[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access[.]so([[:space:]]|$)' /etc/pam.d/login; then
tmp="$(mktemp /etc/pam.d/sshd.XXXXXX)"
awk '
/^[[:space:]]*account[[:space:]]+required[[:space:]]+pam_access[.]so([[:space:]]|$)/ { print "# " $0; next }
{ print }
' /etc/pam.d/sshd >| "${tmp}"
test -s "${tmp}"
mv -f "${tmp}" /etc/pam.d/sshd
rm -f "${tmp}" || :
fi
:
EOF
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f pam_access_sync_login_sshd
#######################################
# Enable per-user TOTP in a given PAM service (login, sshd, su, sudo).
# Globals:
# None
# Arguments:
# 1: username
# 2: pam_module
# 3: target
# Returns:
# 0: on success
#######################################
pam_access_totp_enable() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_user="${1}" var_module="${2}" var_target="${3}"
declare -r var_pam_file="/etc/pam.d/${var_module}"
declare -r var_users_file="${var_target}/etc/ciss/2fa.users"
declare -r var_allowlist="/etc/ciss/2fa.users"
### Basic sanitation; module must be a safe 'pam.d' filename.
[[ -n "${var_user:-}" && -n "${var_module:-}" ]] || return 0
[[ "${var_module}" =~ ^[A-Za-z0-9._+-]+$ ]] || return 0
[[ -f "${var_target}${var_pam_file}" ]] || return 0
### 0) Ensure the allowlist file contains the user (deduplicated).
if ! grep -Fxq "${var_user}" "${var_users_file}"; then
printf '%s\n' "${var_user}" >> "${var_users_file}"
fi
### 1) Ensure a single CISS TOTP framework block is present in the PAM file.
### The block gates GA by pam_listfile over '/etc/ciss/2fa.users'.
### We place it right after pam_unix.so or @include common-auth; fallback: append.
chroot_stdin "${var_target}" "__payload__" -- "${var_pam_file}" "${var_allowlist}" <<'EOF'
export LC_ALL=C
pam="$1"
allowlist="$2"
tmp="$(mktemp "${pam}.XXXXXX")"
awk -v MARK_S="# CISS TOTP START" -v MARK_E="# CISS TOTP END" -v allowlist="${allowlist}" '
BEGIN { ins=0 }
{
print
if (!ins && ($0 ~ /^[[:space:]]*auth[[:space:]]+.*pam_unix[.]so/ \
|| $0 ~ /^[[:space:]]*@include[[:space:]]+common-auth/)) {
print MARK_S
### Only users in allowlist must pass GA:
### pam_listfile sense=deny succeeds for non-listed > skip next line (GA)
print "auth [success=1 default=ignore] pam_listfile.so item=user sense=deny file=" allowlist " onerr=ignore"
print "auth required pam_google_authenticator.so"
print MARK_E
ins=1
}
}
END {
if (!ins) {
print MARK_S
print "auth [success=1 default=ignore] pam_listfile.so item=user sense=deny file=" allowlist " onerr=ignore"
print "auth required pam_google_authenticator.so"
print MARK_E
}
}
' "${pam}" >| "${tmp}"
test -s "${tmp}"
mv -f "${tmp}" "${pam}"
rm -f -- "${tmp}" || :
:
EOF
### 2) Comment out any other active GA lines to avoid double prompts.
chroot_stdin "${var_target}" "__payload__" -- "${var_pam_file}" <<'EOF'
export LC_ALL=C
pam="$1"
tmp="$(mktemp "${pam}.XXXXXX")"
awk '
BEGIN { in_ciss=0 }
/^# CISS TOTP START$/ { in_ciss=1; print; next }
/^# CISS TOTP END$/ { in_ciss=0; print; next }
{
if (!in_ciss && $0 ~ /^[[:space:]]*auth[[:space:]]+.*pam_google_authenticator[.]so/ && $0 !~ /^[[:space:]]*#/) {
print "# " $0
} else {
print
}
}
' "${pam}" >| "${tmp}"
test -s "${tmp}"
mv -f "${tmp}" "${pam}"
rm -f -- "${tmp}" || :
:
EOF
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f pam_access_totp_enable
#######################################
# Reads a 256-bit seed from '${DIR_CNF}/mfa_master.txt' (64 hex chars) into VAR_TEMP_PLAIN_MFA_SEED.
# Globals:
@@ -1113,6 +879,379 @@ write_google_authenticator_file() {
# shellcheck disable=SC2034
readonly -f write_google_authenticator_file
#######################################
# Writes CISS Header for '/etc/pam.d/login'.
# Globals:
# None
# Arguments:
# 1: TARGET
# Returns:
# 0: on success
#######################################
write_pam_login() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_target="$1"
mv "${var_target}/etc/pam.d/login" "${var_target}/root/.ciss/cdi/backup/etc/pam.d/login"
insert_header "${var_target}/etc/pam.d/login"
insert_comments "${var_target}/etc/pam.d/login"
cat << EOF >> "${var_target}/etc/pam.d/login"
#
# The PAM configuration file for the Shadow 'login' service
#
# --- AUTH phase ---------------------------------------------------------------------------------------------------------------
# Root only on secure ttys listed in '/etc/securetty' (fail fast, no prompts).
auth requisite pam_securetty.so
# Enforce a minimal delay in case of failure (in microseconds). (Replaces the 'FAIL_DELAY' setting from login.defs).
# Note that other modules may require another minimal delay. (For example, to disable any delay, you should add the 'nodelay'
# option to pam_unix).
auth optional pam_faildelay.so delay=3200000
# Outputs an issue file prior to each login prompt (Replaces the ISSUE_FILE option from login.defs). Uncomment for use.
#auth required pam_issue.so issue=/etc/issue
# Disallows other than root logins when /etc/nologin exists. (Replaces the 'NOLOGINS_FILE' option from login.defs).
auth requisite pam_nologin.so
# SELinux needs to be the first session rule. This ensures that any lingering context has been cleared. Without this it is
# possible that a module could execute code in the wrong domain. When the module is present, "required" would be sufficient
# (When SELinux is disabled, this returns success.)
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
# Sets the loginuid process attribute
session required pam_loginuid.so
# Prints the message of the day upon successful login. (Replaces the 'MOTD_FILE' option in login.defs). This includes a
# dynamically generated part from /run/motd.dynamic, and a static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
# SELinux needs to intervene at login time to ensure that the process starts in the proper default security context. Only
# sessions which are intended to run in the user's context should be run after this. The module pam_selinux.so changes the
# SELinux context of the used TTY and configures SELinux in order to transition to the user context with the next execve()
# call.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# When the module is present, "required" would be sufficient (When SELinux is disabled, this returns success.)
# This module parses environment configuration file(s) and also allows you to use an extended config file
# /etc/security/pam_env.conf. Parsing /etc/environment needs "readenv=1"
session required pam_env.so readenv=1
# Locale variables can also be set in /etc/default/locale reading this file *in addition to /etc/environment* does not hurt.
session required pam_env.so readenv=1 envfile=/etc/default/locale
# Standard Un*x authentication.
@include common-auth
# ===== CISS 2FA block ========
# If user is NOT listed -> succeed and SKIP next two lines (no TOTP prompt).
auth [success=2 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa.users onerr=ignore
# For listed users: enforce that the secret file exists, else deny without prompting.
# pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
# No 'nullok' here: listed users MUST have a secret; missing -> hard fail.
auth required pam_echo.so file=/etc/ciss/pam_login_totp.prompt
auth required pam_google_authenticator.so disallow-reuse
# ===== CISS 2FA block end =====
# This allows certain extra groups to be granted to a user based on things like time of day, tty, service, and user. Please
# edit /etc/security/group.conf to fit your needs (Replaces the 'CONSOLE_GROUPS' option in login.defs).
auth optional pam_group.so
# Uncomment and edit /etc/security/time.conf if you need to set time restraint on logins. (Replaces the 'PORTTIME_CHECKS_ENAB'
# option from login.defs as well as /etc/porttime).
#account requisite pam_time.so
# Uncomment and edit /etc/security/access.conf if you need to set access limits. (Replaces /etc/login.access file).
#account required pam_access.so
# Sets up user limits according to /etc/security/limits.conf. (Replaces the use of /etc/limits in old login).
session required pam_limits.so
# Prints the status of the user's mailbox upon successful login (Replaces the 'MAIL_CHECK_ENAB' option from login.defs).
# This also defines the MAIL environment variable. However, userdel also needs MAIL_DIR and MAIL_FILE variables in
# /etc/login.defs to make sure that removing a user also removes the user's mail spool file. See comments in /etc/login.defs.
session optional pam_mail.so standard
# Create a new session keyring.
session optional pam_keyinit.so force revoke
# Console-only access control for this service (do NOT also enable in common-account).
account requisite pam_access.so
# Standard Un*x account and session
@include common-account
@include common-session
@include common-password
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
do_log "info" "file_only" "4520() Written: [/etc/pam.d/login]."
cat << 'EOF' >| "${var_target}/etc/ciss/pam_login_totp.prompt"
Please enter your 6-digit TOTP or 8-digit Backup code:
EOF
chmod 0444 "${var_target}/etc/ciss/pam_login_totp.prompt"
do_log "info" "file_only" "4520() Written: [/etc/ciss/pam_login_totp.prompt]."
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f write_pam_login
#######################################
# Writes CISS Header for '/etc/pam.d/sshd'.
# Globals:
# None
# Arguments:
# 1: TARGET
# Returns:
# 0: on success
#######################################
write_pam_sshd() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_target="$1"
mv "${var_target}/etc/pam.d/sshd" "${var_target}/root/.ciss/cdi/backup/etc/pam.d/sshd"
insert_header "${var_target}/etc/pam.d/sshd"
insert_comments "${var_target}/etc/pam.d/sshd"
cat << EOF >> "${var_target}/etc/pam.d/sshd"
#
# PAM configuration for the Secure Shell service
#
# ===== CISS 2FA block ========
# If user is NOT listed -> succeed and SKIP next two lines (silent Keyboard-Interactive (KI) success).
auth [success=2 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa.users onerr=ignore
# For listed users: enforce that the secret file exists, else deny without prompting.
# pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
# No 'nullok' here: listed users MUST have a secret; missing -> hard fail.
auth required pam_echo.so file=/etc/ciss/pam_ssh_totp.prompt
auth required pam_google_authenticator.so disallow-reuse
# For non-2FA users KI must be a silent success to satisfy AuthenticationMethods.
auth sufficient pam_permit.so
# ===== CISS 2FA block end =====
# Keep the rest as shipped by Debian. It will be short-circuited by pam_permit for KI and never reached for 2FA users after
# successful GA.
# Standard Un*x authentication.
@include common-auth
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
# Uncomment and edit /etc/security/access.conf if you need to set complex access limits that are hard to express in sshd_config.
#account required pam_access.so
# Standard Un*x authorization.
@include common-account
# SELinux needs to be the first session rule. This ensures that any lingering context has been cleared. Without this it is
# possible that a module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
# Set the loginuid process attribute.
session required pam_loginuid.so
# Create a new session keyring.
session optional pam_keyinit.so force revoke
# Standard Un*x session setup and teardown.
@include common-session
# Print the message of the day upon successful login. This includes a dynamically generated part from /run/motd.dynamic and a
# static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
# Read environment variables from /etc/environment and /etc/security/pam_env.conf.
session required pam_env.so
# In Debian 4.0 (etch), locale-related environment variables were moved to /etc/default/locale, so read that as well.
session required pam_env.so envfile=/etc/default/locale
# SELinux needs to intervene at login time to ensure that the process starts in the proper default security context. Only
# sessions which are intended to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# Standard Un*x password updating.
@include common-password
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
do_log "info" "file_only" "4520() Written: [/etc/pam.d/sshd]."
cat << 'EOF' >| "${var_target}/etc/ciss/pam_ssh_totp.prompt"
Please enter your 6-digit TOTP or 8-digit Backup code:
EOF
chmod 0444 "${var_target}/etc/ciss/pam_ssh_totp.prompt"
do_log "info" "file_only" "4520() Written: [/etc/ciss/pam_ssh_totp.prompt]."
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f write_pam_sshd
#######################################
# Writes CISS Header for '/etc/pam.d/su'.
# Globals:
# None
# Arguments:
# 1: TARGET
# Returns:
# 0: on success
#######################################
write_pam_sudo() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_target="$1"
mv "${var_target}/etc/pam.d/su" "${var_target}/root/.ciss/cdi/backup/etc/pam.d/su"
insert_header "${var_target}/etc/pam.d/su"
insert_comments "${var_target}/etc/pam.d/su"
cat << EOF >> "${var_target}/etc/pam.d/su"
#
# PAM configuration for the su service
#
# If caller is already root, allow quickly without further auth:
auth sufficient pam_rootok.so
# Reuse a recent successful su-auth within the TTL:
auth sufficient pam_timestamp.so
# Standard password for the target account (root or other):
@include common-auth
# ===== CISS 2FA block ========
# If user is NOT listed -> succeed and SKIP next two lines (no TOTP prompt).
auth [success=2 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa.users onerr=ignore
# For listed users: enforce that the secret file exists, else deny without prompting.
# pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
# No 'nullok' here: listed users MUST have a secret; missing -> hard fail.
auth required pam_echo.so file=/etc/ciss/pam_su_totp.prompt
auth required pam_google_authenticator.so disallow-reuse
# ===== CISS 2FA block end =====
@include common-account
@include common-session
# Keep a ticket to avoid re-prompts during this shell session:
session optional pam_timestamp.so
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
do_log "info" "file_only" "4520() Written: [/etc/pam.d/su]."
cat << 'EOF' >| "${var_target}/etc/ciss/pam_su_totp.prompt"
Please enter the 6-digit TOTP or 8-digit Backup code of the target user:
EOF
chmod 0444 "${var_target}/etc/ciss/pam_su_totp.prompt"
do_log "info" "file_only" "4520() Written: [/etc/ciss/pam_su_totp.prompt]."
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f write_pam_su
#######################################
# Writes CISS Header for '/etc/pam.d/sudo'.
# Globals:
# None
# Arguments:
# 1: TARGET
# Returns:
# 0: on success
#######################################
write_pam_sudo() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_target="$1"
mv "${var_target}/etc/pam.d/sudo" "${var_target}/root/.ciss/cdi/backup/etc/pam.d/sudo"
insert_header "${var_target}/etc/pam.d/sudo"
insert_comments "${var_target}/etc/pam.d/sudo"
cat << EOF >> "${var_target}/etc/pam.d/sudo"
#
# PAM configuration for the sudo service
#
# Reuse a recent successful auth to avoid re-prompting within the TTL.
auth sufficient pam_timestamp.so
# Standard UNIX password:
@include common-auth
# ===== CISS 2FA block ========
# If user is NOT listed -> succeed and SKIP next two lines (no TOTP prompt).
auth [success=2 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa.users onerr=ignore
# For listed users: enforce that the secret file exists, else deny without prompting.
# pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
# No 'nullok' here: listed users MUST have a secret; missing -> hard fail.
auth required pam_echo.so file=/etc/ciss/pam_sudo_totp.prompt
auth required pam_google_authenticator.so disallow-reuse
# ===== CISS 2FA block end =====
# Accounts, sessions:
@include common-account
@include common-session-noninteractive
# Maintain a pam_timestamp ticket on successful sudo to suppress re-prompts.
session optional pam_timestamp.so
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
do_log "info" "file_only" "4520() Written: [/etc/pam.d/sudo]."
cat << 'EOF' >| "${var_target}/etc/ciss/pam_sudo_totp.prompt"
Please enter your 6-digit TOTP or 8-digit Backup code:
EOF
chmod 0444 "${var_target}/etc/ciss/pam_sudo_totp.prompt"
do_log "info" "file_only" "4520() Written: [/etc/ciss/pam_sudo_totp.prompt]."
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f write_pam_sudo
#######################################
# Use the official ohmyzsh-installer but force non-interactive behavior; do not run zsh; do not chsh.
# Globals:
@@ -1240,228 +1379,4 @@ EOF
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f zsh_omz_installer
#######################################
# Writes CISS Header for '/etc/pam.d/login'.
# Globals:
# None
# Arguments:
# 1: TARGET
# Returns:
# 0: on success
#######################################
write_pam_login() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_target="$1"
mv "${var_target}/etc/pam.d/sshd" "${var_target}/root/.ciss/cdi/backup/etc/pam.d/login"
insert_header "${var_target}/etc/pam.d/login"
insert_comments "${var_target}/etc/pam.d/login"
cat << EOF >> "${var_target}/etc/pam.d/login"
#
# The PAM configuration file for the Shadow 'login' service
#
# Enforce a minimal delay in case of failure (in microseconds). (Replaces the 'FAIL_DELAY' setting from login.defs).
# Note that other modules may require another minimal delay. (For example, to disable any delay, you should add the 'nodelay'
# option to pam_unix).
auth optional pam_faildelay.so delay=3000000
# Outputs an issue file prior to each login prompt (Replaces the ISSUE_FILE option from login.defs). Uncomment for use.
# auth required pam_issue.so issue=/etc/issue
# Disallows other than root logins when /etc/nologin exists. (Replaces the 'NOLOGINS_FILE' option from login.defs).
auth requisite pam_nologin.so
# SELinux needs to be the first session rule. This ensures that any lingering context has been cleared. Without this it is
# possible that a module could execute code in the wrong domain. When the module is present, "required" would be sufficient
# (When SELinux is disabled, this returns success.)
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
# Sets the loginuid process attribute
session required pam_loginuid.so
# Prints the message of the day upon successful login. (Replaces the 'MOTD_FILE' option in login.defs). This includes a
# dynamically generated part from /run/motd.dynamic, and a static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
# SELinux needs to intervene at login time to ensure that the process starts in the proper default security context. Only
# sessions which are intended to run in the user's context should be run after this. The module pam_selinux.so changes the
# SELinux context of the used TTY and configures SELinux in order to transition to the user context with the next execve()
# call.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# When the module is present, "required" would be sufficient (When SELinux is disabled, this returns success.)
# This module parses environment configuration file(s) and also allows you to use an extended config file
# /etc/security/pam_env.conf. Parsing /etc/environment needs "readenv=1"
session required pam_env.so readenv=1
# Locale variables can also be set in /etc/default/locale reading this file *in addition to /etc/environment* does not hurt.
session required pam_env.so readenv=1 envfile=/etc/default/locale
# Standard Un*x authentication.
@include common-auth
# ===== CISS 2FA block =====
# If user is NOT listed -> succeed and SKIP next two lines (no TOTP prompt).
auth [success=2 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa onerr=ignore
# Listed users: show a clear hint and then require GA. No 'nullok': missing secret -> fail.
auth required pam_echo.so file=/etc/ciss/login_totp.prompt
auth required pam_google_authenticator.so
# ===== CISS 2FA block end =====
# This allows certain extra groups to be granted to a user based on things like time of day, tty, service, and user. Please
# edit /etc/security/group.conf to fit your needs (Replaces the 'CONSOLE_GROUPS' option in login.defs).
auth optional pam_group.so
# Uncomment and edit /etc/security/time.conf if you need to set time restraint on logins. (Replaces the 'PORTTIME_CHECKS_ENAB'
# option from login.defs as well as /etc/porttime).
# account requisite am_time.so
# Uncomment and edit /etc/security/access.conf if you need to set access limits. (Replaces /etc/login.access file).
# account required pam_access.so
# Sets up user limits according to /etc/security/limits.conf. (Replaces the use of /etc/limits in old login).
session required pam_limits.so
# Prints the status of the user's mailbox upon successful login (Replaces the 'MAIL_CHECK_ENAB' option from login.defs).
# This also defines the MAIL environment variable. However, userdel also needs MAIL_DIR and MAIL_FILE variables in
# /etc/login.defs to make sure that removing a user also removes the user's mail spool file. See comments in /etc/login.defs.
session optional pam_mail.so standard
# Create a new session keyring.
session optional pam_keyinit.so force revoke
# Standard Un*x account and session
@include common-account
@include common-session
@include common-password
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
do_log "info" "file_only" "4520() Written: [/etc/pam.d/login]."
cat << 'EOF' >| "${var_target}/etc/ciss/login_totp.prompt"
After your UNIX password, please enter your 6-digit TOTP code.
EOF
chmod 0444 "${var_target}/etc/ciss/login_totp.prompt"
do_log "info" "file_only" "4520() Written: [/etc/ciss/login_totp.prompt]."
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f write_pam_login
#######################################
# Writes CISS Header for '/etc/pam.d/sshd'.
# Globals:
# None
# Arguments:
# 1: TARGET
# Returns:
# 0: on success
#######################################
write_pam_sshd() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_target="$1"
mv "${var_target}/etc/pam.d/sshd" "${var_target}/root/.ciss/cdi/backup/etc/pam.d/sshd"
insert_header "${var_target}/etc/pam.d/sshd"
insert_comments "${var_target}/etc/pam.d/sshd"
cat << EOF >> "${var_target}/etc/pam.d/sshd"
#
# PAM configuration for the Secure Shell service
#
# ===== CISS 2FA block =====
# If user is NOT listed -> succeed and SKIP next two lines (silent Keyboard-Interactive (KI) success).
auth [success=2 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa onerr=ignore
# For listed users: enforce that the secret file exists, else deny without prompting.
# pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
auth required pam_echo.so file=/etc/ciss/ssh_totp.prompt
auth required pam_google_authenticator.so
# No 'nullok' here: listed users MUST have a secret; missing -> hard fail.
# For non-2FA users KI must be a silent success to satisfy AuthenticationMethods.
auth sufficient pam_permit.so
# ===== CISS 2FA block end =====
# Keep the rest as shipped by Debian. It will be short-circuited by pam_permit for KI and never reached for 2FA users after
# successful GA.
# Standard Un*x authentication.
@include common-auth
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
# Uncomment and edit /etc/security/access.conf if you need to set complex access limits that are hard to express in sshd_config.
# account required pam_access.so
# Standard Un*x authorization.
@include common-account
# SELinux needs to be the first session rule. This ensures that any lingering context has been cleared. Without this it is
# possible that a module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
# Set the loginuid process attribute.
session required pam_loginuid.so
# Create a new session keyring.
session optional pam_keyinit.so force revoke
# Standard Un*x session setup and teardown.
@include common-session
# Print the message of the day upon successful login. This includes a dynamically generated part from /run/motd.dynamic and a
# static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
# Read environment variables from /etc/environment and /etc/security/pam_env.conf.
session required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to /etc/default/locale, so read that as well.
session required pam_env.so envfile=/etc/default/locale
# SELinux needs to intervene at login time to ensure that the process starts in the proper default security context. Only
# sessions which are intended to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# Standard Un*x password updating.
@include common-password
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
do_log "info" "file_only" "4520() Written: [/etc/pam.d/sshd]."
cat << 'EOF' >| "${var_target}/etc/ciss/ssh_totp.prompt"
Please enter your 6-digit TOTP code for %u@%H.
EOF
chmod 0444 "${var_target}/etc/ciss/ssh_totp.prompt"
do_log "info" "file_only" "4520() Written: [/etc/ciss/ssh_totp.prompt]."
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f write_pam_sshd
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

48
func/cdi_4500_user/4521_accounts_setup_ciss.sh
View File

@@ -23,16 +23,60 @@ guard_sourcing
# Returns:
# 0: on success
#######################################
accounts_setup_ciss() {
accounts_setup_ciss_root() {
### Declare Arrays, HashMaps, and Variables.
declare var_target="${TARGET}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
install -d -m 0700 -o root -g root "${var_target}/root/.ssh"
install -m 0600 -o root -g root /dev/null "${var_target}/root/.ssh/authorized_keys"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss.bashrc" "${var_target}/root/.bashrc"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/theme_eza_ciss.yml" "${var_target}/root/.ciss/"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/alias" "${var_target}/root/.ciss/"
install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/check_chrony.sh" "${var_target}/root/.ciss/"
install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/clean_logout.sh" "${var_target}/root/.ciss/"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/f2bchk" "${var_target}/root/.ciss/"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/scan_libwrap" "${var_target}/root/.ciss/"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/shortcuts" "${var_target}/root/.ciss/"
insert_comments "${var_target}/root/.bashrc"
insert_comments "${var_target}/root/.ciss/alias"
insert_comments "${var_target}/root/.ciss/check_chrony.sh"
insert_comments "${var_target}/root/.ciss/clean_logout.sh"
insert_comments "${var_target}/root/.ciss/f2bchk"
insert_comments "${var_target}/root/.ciss/scan_libwrap"
insert_comments "${var_target}/root/.ciss/shortcuts"
if [[ "${user_root_shell}" == "/bin/zsh" ]]; then
if [[ -x "${var_target}${user_root_shell}" ]]; then
zsh_omz_installer "root" "${var_target}"
mkdir -p "${var_target}/root/.ciss/cdi/backup/root"
mv "${var_target}/root/.zshrc" "${var_target}/root/.ciss/cdi/backup/root/.zshrc.bak"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss.zshrc" "${var_target}/root/.zshrc"
insert_comments "${var_target}/root/.zshrc"
chroot_exec "${var_target}" chsh -s "${user_root_shell}" root
do_log "info" "file_only" "4520() Shell: '${user_root_shell}' used for: 'root'."
else
chroot_exec "${var_target}" chsh -s /bin/bash root
do_log "info" "file_only" "4520() Shell: '${user_root_shell}' not found for: 'root'. Using '/bin/bash' instead."
fi
fi
do_log "info" "file_only" "4520() Skeleton: 'root' successfully generated."
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f accounts_setup_ciss
readonly -f accounts_setup_ciss_root
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

47
func/cdi_4500_user/4522_accounts_setup_physnet.sh
View File

@@ -23,13 +23,58 @@ guard_sourcing
# Returns:
# 0: on success
#######################################
accounts_setup_physnet() {
accounts_setup_physnet_root() {
### Declare Arrays, HashMaps, and Variables.
declare var_target="${TARGET}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
install -d -m 0700 -o root -g root "${var_target}/root/.ssh"
install -m 0600 -o root -g root /dev/null "${var_target}/root/.ssh/authorized_keys"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.physnet.bashrc" "${var_target}/root/.bashrc"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/theme_eza_ciss.yml" "${var_target}/root/.ciss/"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/alias" "${var_target}/root/.ciss/"
install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/check_chrony.sh" "${var_target}/root/.ciss/"
install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/clean_logout.sh" "${var_target}/root/.ciss/"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/f2bchk" "${var_target}/root/.ciss/"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/scan_libwrap" "${var_target}/root/.ciss/"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/shortcuts" "${var_target}/root/.ciss/"
insert_comments "${var_target}/root/.bashrc"
insert_comments "${var_target}/root/.ciss/alias"
insert_comments "${var_target}/root/.ciss/check_chrony.sh"
insert_comments "${var_target}/root/.ciss/clean_logout.sh"
insert_comments "${var_target}/root/.ciss/f2bchk"
insert_comments "${var_target}/root/.ciss/scan_libwrap"
insert_comments "${var_target}/root/.ciss/shortcuts"
if [[ "${user_root_shell}" == "/bin/zsh" ]]; then
if [[ -x "${var_target}${user_root_shell}" ]]; then
zsh_omz_installer "root" "${var_target}"
mkdir -p "${var_target}/root/.ciss/cdi/backup/root"
mv "${var_target}/root/.zshrc" "${var_target}/root/.ciss/cdi/backup/root/.zshrc.bak"
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.physnet.zshrc" "${var_target}/root/.zshrc"
insert_comments "${var_target}/root/.zshrc"
chroot_exec "${var_target}" chsh -s "${user_root_shell}" root
do_log "info" "file_only" "4520() Shell: '${user_root_shell}' used for: 'root'."
else
chroot_exec "${var_target}" chsh -s /bin/bash root
do_log "info" "file_only" "4520() Shell: '${user_root_shell}' not found for: 'root'. Using '/bin/bash' instead."
fi
fi
do_log "info" "file_only" "4520() Skeleton: 'root' successfully generated."
guard_dir && return 0
}
### Prevents accidental 'unset -f'.

9
func/cdi_4500_user/4530_accounts_timings.sh
View File

@@ -15,7 +15,7 @@ guard_sourcing
#######################################
# Iterates all '/etc/shadow' entries and sets:
# 4=min age=0, 5=max age=16384, 6=warn=128, 7=inactive=42, 8=expire=17.09.2102
# Safe: creates a timestamped backup and (if available) locks /etc/.pwd.lock.
# Safe: creates a timestamped backup and (if available) locks '/etc/.pwd.lock'.
# Globals:
# RECOVERY
# TARGET
@@ -28,6 +28,7 @@ guard_sourcing
update_shadow() {
### Declare Arrays, HashMaps, and Variables.
declare var_target="${TARGET}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
@@ -66,12 +67,12 @@ update_shadow() {
### Rewrite fields 4..8 for every line
### Preserve fields 1..3 and 9, keep password hashes untouched.
### Pad to 9 fields if shorter; keep empty lines intact (rare but safe).
awk -v FS=":" -v OFS=":" -v exp="${var_exp_ds}" '
NF==0 { print; next } # preserve blank lines verbatim
awk -v FS=":" -v OFS=":" -v v_exp="${var_exp_ds}" '
NF==0 { print; next } # preserve blank lines verbatim
{
# pad missing trailing fields to 9
for (i=NF+1; i<=9; i++) $i="";
$4=0; $5=16384; $6=128; $7=42; $8=exp; # set required fields
$4=0; $5=16384; $6=128; $7=42; $8=v_exp; # set required fields
print
}
' "${var_backup}" >| "${var_temp}"

3
func/cdi_4600_packages/4600_installation_packages.sh
View File

@@ -31,6 +31,7 @@ installation_packages() {
if [[ "${VAR_APT_FULL_UPGRADE}" == "true" ]]; then
chroot_script "${TARGET}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get update -qq 2>&1 | tee -a ${var_logfile}
apt-get upgrade -y 2>&1 | tee -a ${var_logfile}
"
@@ -38,11 +39,13 @@ installation_packages() {
chroot_script "${TARGET}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get install -y --no-install-recommends --no-install-suggests ${ARY_PACKAGES[*]} 2>&1 | tee -a ${var_logfile}
"
chroot_script "${TARGET}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get autoclean -y 2>&1 | tee -a ${var_logfile}
apt-get autopurge -y 2>&1 | tee -a ${var_logfile}
apt-get autoremove -y 2>&1 | tee -a ${var_logfile}

1
func/cdi_4600_packages/4610_installation_security.sh
View File

@@ -38,6 +38,7 @@ installation_security() {
chroot_script "${TARGET}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get install -y --no-install-recommends --no-install-suggests ${ary_fw[*]} 2>&1 | tee -a ${var_logfile}
if [[ ${VAR_SEC_FW} == apparmor ]]; then

1
func/cdi_4600_packages/4620_installation_verification.sh
View File

@@ -33,6 +33,7 @@ install_verification() {
chroot_script "${TARGET}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get install -y --no-install-recommends --no-install-suggests auditd 2>&1 | tee -a ${var_logfile}
"

3
func/cdi_4600_packages/4630_auditing_packages.sh
View File

@@ -99,4 +99,7 @@ auditing_packages() {
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f auditing_packages
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

7
func/cdi_4900_xtended/4900_final_command.sh
View File

@@ -13,12 +13,10 @@
guard_sourcing
#######################################
# Exiting chroot of the target system.
# Finalize the chroot system before exiting.
# Globals:
# RECOVERY
# TARGET
# VAR_CHROOT_ACTIVATED
# VAR_NEED_RUN_IN_TARGET
# VAR_RUN_RECOVERY
# Arguments:
# None
@@ -39,6 +37,9 @@ final_commands() {
updatedb | tee -a ${var_logfile}
"
rm -f "${var_target}/etc/root/ciss_xdg_tmp.sh"
guard_dir && return 0
}
### Prevents accidental 'unset -f'.