msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 2m13s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-10-21 07:59:51 +01:00
parent 45b4bd7f12
commit 82096f7b7d
3 changed files with 231 additions and 105 deletions
Download Patch File Download Diff File Expand all files Collapse all files

156
func/cdi_4400_hardening/4420_hardening_fail2ban.sh
View File

@@ -50,7 +50,7 @@ hardening_fail2ban() {
insert_comments "${var_target}/etc/fail2ban/fail2ban.local"
cat << 'EOF' >> "${var_target}/etc/fail2ban/fail2ban.local"
[DEFAULT]
allowipv6 = auto
allowipv6 = auto
EOF
@@ -62,14 +62,14 @@ EOF
### fail2ban ufw aggressive mode, one attempt for jumphost configuration.
cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
[DEFAULT]
usedns = yes
# 127.0.0.1/8 IPv4 loopback range (local host)
# ::1/128 IPv6 loopback
# fe80::/10 IPv6 link-local (on-link only; NDP/RA/DAD)
# fc00::/7 IPv6 ULA (private LAN addresses)
# ff00::/8 IPv6 multicast (not an unicast host)
# ::/128 IPv6 unspecified (all zeros; never a real peer)
ignoreip = 127.0.0.1/8 ::1/128 fe80::/10 fc00::/7 ff00::/8 ::/128
usedns = yes
# 127.0.0.1/8 IPv4 loopback range (local host)
# ::1/128 IPv6 loopback
# fe80::/10 IPv6 link-local (on-link only; NDP/RA/DAD)
# fc00::/7 IPv6 ULA (private LAN addresses)
# ff00::/8 IPv6 multicast (not an unicast host)
# ::/128 IPv6 unspecified (all zeros; never a real peer)
ignoreip = 127.0.0.1/8 ::1/128 fe80::/10 fc00::/7 ff00::/8 ::/128
# ${VAR_FINAL_FQDN}
${VAR_FINAL_IPV4}
EOF
@@ -94,30 +94,42 @@ EOF
fi
cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
maxretry = 8
findtime = 24h
bantime = 24h
maxretry = 3
findtime = 1d
bantime = 1h
bantime.increment = true
bantime.factor = 1
bantime.maxtime = 16d
bantime.overalljails = true
bantime.rndtime = 877s
[recidive]
enabled = true
filter = recidive
logpath = /var/log/fail2ban/fail2ban.log*
banaction = iptables-allports
bantime = 32d
findtime = 384d
maxretry = 4
enabled = true
filter = recidive
logpath = /var/log/fail2ban/fail2ban.log*
banaction = iptables-allports
maxretry = 3
findtime = 16d
bantime = 8d
bantime.increment = true
bantime.factor = 1
bantime.maxtime = 96d
bantime.multipliers = 1, 2, 4, 8
bantime.overalljails = true
bantime.rndtime = 877s
[sshd]
enabled = true
backend = systemd
filter = sshd
mode = normal
port = ${VAR_SSH_PORT}
protocol = tcp
logpath = /var/log/auth.log
maxretry = 3
findtime = 24h
bantime = 24h
enabled = true
backend = systemd
filter = sshd
mode = normal
port = ${VAR_SSH_PORT}
protocol = tcp
logpath = /var/log/auth.log
maxretry = 4
#
# ufw aggressive approach:
@@ -126,13 +138,11 @@ bantime = 24h
#
[ufw]
enabled = true
filter = ciss.ufw
action = iptables-allports
logpath = /var/log/ufw.log
maxretry = 1
findtime = 24h
bantime = 24h
enabled = true
filter = ciss.ufw
action = iptables-allports
logpath = /var/log/ufw.log
maxretry = 1
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
@@ -142,8 +152,14 @@ EOF
### fail2ban ufw aggressive mode, 32 attempts for NO jumphost configuration.
cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
[DEFAULT]
usedns = yes
ignoreip = 127.0.0.0/8 ::1
usedns = yes
# 127.0.0.1/8 IPv4 loopback range (local host)
# ::1/128 IPv6 loopback
# fe80::/10 IPv6 link-local (on-link only; NDP/RA/DAD)
# fc00::/7 IPv6 ULA (private LAN addresses)
# ff00::/8 IPv6 multicast (not an unicast host)
# ::/128 IPv6 unspecified (all zeros; never a real peer)
ignoreip = 127.0.0.1/8 ::1/128 fe80::/10 fc00::/7 ff00::/8 ::/128
# ${VAR_FINAL_FQDN}
${VAR_FINAL_IPV4}
EOF
@@ -156,30 +172,42 @@ EOF
fi
cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
maxretry = 8
findtime = 24h
bantime = 24h
maxretry = 3
findtime = 1d
bantime = 1h
bantime.increment = true
bantime.factor = 1
bantime.maxtime = 16d
bantime.overalljails = true
bantime.rndtime = 877s
[recidive]
enabled = true
filter = recidive
logpath = /var/log/fail2ban/fail2ban.log*
banaction = iptables-allports
bantime = 32d
findtime = 384d
maxretry = 4
enabled = true
filter = recidive
logpath = /var/log/fail2ban/fail2ban.log*
banaction = iptables-allports
maxretry = 3
findtime = 16d
bantime = 8d
bantime.increment = true
bantime.factor = 1
bantime.maxtime = 96d
bantime.multipliers = 1, 2, 4, 8
bantime.overalljails = true
bantime.rndtime = 877s
[sshd]
enabled = true
backend = systemd
filter = sshd
mode = normal
port = ${VAR_SSH_PORT}
protocol = tcp
logpath = /var/log/auth.log
maxretry = 3
findtime = 24h
bantime = 24h
enabled = true
backend = systemd
filter = sshd
mode = normal
port = ${VAR_SSH_PORT}
protocol = tcp
logpath = /var/log/auth.log
maxretry = 4
#
# ufw aggressive approach:
@@ -188,13 +216,11 @@ bantime = 24h
#
[ufw]
enabled = true
filter = ciss.ufw
action = iptables-allports
logpath = /var/log/ufw.log
maxretry = 8
findtime = 24h
bantime = 24h
enabled = true
filter = ciss.ufw
action = iptables-allports
logpath = /var/log/ufw.log
maxretry = 4
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF

174
func/cdi_4500_user/4520_accounts_setup.sh
View File

@@ -58,10 +58,12 @@ accounts_setup() {
### Update pam modules for 2fa.
mkdir -p "${var_target}/root/.ciss/cdi/backup/etc/pam.d"
write_pam_login "${var_target}"
write_pam_sshd "${var_target}"
write_pam_su "${var_target}"
write_pam_sudo-i "${var_target}"
write_pam_common_auth "${var_target}"
write_pam_login "${var_target}"
write_pam_sshd "${var_target}"
write_pam_su "${var_target}"
write_pam_sudo "${var_target}"
write_pam_sudo-i "${var_target}"
### Prepare the '2fa'-seed variable.
read_totp_seed
@@ -580,6 +582,7 @@ hardening_sudo() {
cat << 'EOF' >> "${var_sudoers_main}"
##### Added by CISS.debian.installer
Defaults timestamp_timeout=480
Defaults log_host, log_year, log_input, log_exit_status, log_subcmds, logfile="/var/log/sudo.log", iolog_dir="/var/log/sudo-io"
EOF
fi
@@ -931,6 +934,59 @@ write_google_authenticator_file() {
# shellcheck disable=SC2034
readonly -f write_google_authenticator_file
#######################################
# Writes CISS Header for '/etc/pam.d/common-auth'.
# Globals:
# None
# Arguments:
# 1: TARGET
# Returns:
# 0: on success
#######################################
write_pam_common_auth() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_target="$1"
mv "${var_target}/etc/pam.d/common-auth" "${var_target}/root/.ciss/cdi/backup/etc/pam.d/common-auth"
insert_header "${var_target}/etc/pam.d/common-auth"
insert_comments "${var_target}/etc/pam.d/common-auth"
cat << EOF >> "${var_target}/etc/pam.d/common-auth"
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files, and should contain a list of the authentication modules
# that define the central authentication scheme for use on the system (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is
# to use the traditional Unix authentication mechanisms.
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. To take advantage of this, it is recommended that you
# configure any local modules either before or after the default block, and use pam-auth-update to manage selection of other
# modules. See pam-auth-update(8) for details.
# Here are the per-package modules (the "Primary" block):
auth [success=1 default=ignore] pam_unix.so try_first_pass nodelay
# Here is the fallback if no module succeeds:
auth requisite pam_deny.so
# Prime the stack with a positive return value if there is not one already; this avoids us returning an error just because
# nothing sets a success code since the modules above will each just jump around.
auth required pam_permit.so
# And here are more per-package modules (the "Additional" block):
# End of pam-auth-update config.
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
do_log "info" "file_only" "4520() Written: [/etc/pam.d/common-auth]."
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f write_pam_common_auth
#######################################
# Writes CISS Header for '/etc/pam.d/login'.
# Globals:
@@ -958,17 +1014,17 @@ write_pam_login() {
# Root only on secure ttys listed in '/etc/securetty' (fail fast, no prompts).
auth requisite pam_securetty.so
# Disallows other than root logins when /etc/nologin exists. (Replaces the 'NOLOGINS_FILE' option from login.defs).
auth requisite pam_nologin.so
# Enforce a minimal delay in case of failure (in microseconds). (Replaces the 'FAIL_DELAY' setting from login.defs).
# Note that other modules may require another minimal delay. (For example, to disable any delay, you should add the 'nodelay'
# option to pam_unix).
auth optional pam_faildelay.so delay=3200000
auth optional pam_faildelay.so delay=3200000 # 3.2 seconds
# Outputs an issue file prior to each login prompt (Replaces the ISSUE_FILE option from login.defs). Uncomment for use.
#auth required pam_issue.so issue=/etc/issue
# Disallows other than root logins when /etc/nologin exists. (Replaces the 'NOLOGINS_FILE' option from login.defs).
auth requisite pam_nologin.so
# SELinux needs to be the first session rule. This ensures that any lingering context has been cleared. Without this it is
# possible that a module could execute code in the wrong domain. When the module is present, "required" would be sufficient
# (When SELinux is disabled, this returns success.)
@@ -995,8 +1051,8 @@ session required pam_env.so readenv=1
# Locale variables can also be set in /etc/default/locale reading this file *in addition to /etc/environment* does not hurt.
session required pam_env.so readenv=1 envfile=/etc/default/locale
# Standard Un*x authentication.
@include common-auth
# Standard password for the target account (root or other). pam_unix.so with: try_first_pass nodelay (without nullok).
@include common-auth
# ===== CISS 2FA block ========
@@ -1005,7 +1061,7 @@ session required pam_env.so readenv=1 envfile=/etc/default/locale
auth [success=2 default=ignore] pam_exec.so quiet /usr/local/libexec/ciss_pam_2fa_gate.sh
# For listed users: enforce that the secret file exists, else deny without prompting.
# pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
# pam_google_authenticator will itself fail if the file is absent.
# No 'nullok' here: listed users MUST have a secret; missing -> hard fail.
auth required pam_echo.so file=/etc/ciss/pam_login_totp.prompt
auth required pam_google_authenticator.so
@@ -1017,8 +1073,6 @@ auth required pam_google_authenticator.so
# edit /etc/security/group.conf to fit your needs (Replaces the 'CONSOLE_GROUPS' option in login.defs).
auth optional pam_group.so
# Uncomment and edit /etc/security/time.conf if you need to set time restraint on logins. (Replaces the 'PORTTIME_CHECKS_ENAB'
# option from login.defs as well as /etc/porttime).
#account requisite pam_time.so
@@ -1041,9 +1095,9 @@ session optional pam_keyinit.so force revoke
account requisite pam_access.so
# Standard Un*x account and session
@include common-account
@include common-session
@include common-password
@include common-account
@include common-session
@include common-password
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
@@ -1083,13 +1137,15 @@ write_pam_sshd() {
# PAM configuration for the Secure Shell service
#
auth optional pam_warn.so
# ===== CISS 2FA block ========
# If gate returns SUCCESS => skip next two lines (no TOTP).
auth [success=2 default=ignore] pam_exec.so quiet /usr/local/libexec/ciss_pam_2fa_gate.sh
# For listed users: enforce that the secret file exists, else deny without prompting.
# pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
# pam_google_authenticator will itself fail if the file is absent.
# No 'nullok' here: listed users MUST have a secret; missing -> hard fail.
auth required pam_echo.so file=/etc/ciss/pam_ssh_totp.prompt
auth required pam_google_authenticator.so
@@ -1103,8 +1159,9 @@ auth sufficient pam_permit.so
# Keep the rest as shipped by Debian. It will be short-circuited by pam_permit for KI and never reached for 2FA users after
# successful GA.
# Standard Un*x authentication.
@include common-auth
# Standard password for the target account (root or other). pam_unix.so with: try_first_pass nodelay (without nullok).
# (omitted deliberately: CISS SSH uses KI/TOTP only; no password path)
# @include common-auth
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
@@ -1113,7 +1170,7 @@ account required pam_nologin.so
#account required pam_access.so
# Standard Un*x authorization.
@include common-account
@include common-account
# SELinux needs to be the first session rule. This ensures that any lingering context has been cleared. Without this it is
# possible that a module could execute code in the wrong domain.
@@ -1126,7 +1183,7 @@ session required pam_loginuid.so
session optional pam_keyinit.so force revoke
# Standard Un*x session setup and teardown.
@include common-session
@include common-session
# Print the message of the day upon successful login. This includes a dynamically generated part from /run/motd.dynamic and a
# static (admin-editable) part from /etc/motd.
@@ -1136,7 +1193,7 @@ session optional pam_motd.so noupdate
# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv
# Set up user limits from /etc/security/limits.conf.
# Sets up user limits according to /etc/security/limits.conf. (Replaces the use of /etc/limits in old login).
session required pam_limits.so
# Read environment variables from /etc/environment and /etc/security/pam_env.conf.
@@ -1150,7 +1207,7 @@ session required pam_env.so envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# Standard Un*x password updating.
@include common-password
@include common-password
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
@@ -1197,12 +1254,8 @@ auth sufficient pam_rootok.so
# Hardening of '/bin/su': only members of the group 'sudo' can su to root.
auth required pam_wheel.so group=sudo
# Sets up user limits according to /etc/security/limits.conf
# (Replaces the use of /etc/limits in old login)
session required pam_limits.so
# Standard password for the target account (root or other):
@include common-auth
# Standard password for the target account (root or other). pam_unix.so with: try_first_pass nodelay (without nullok).
@include common-auth
# ===== CISS 2FA block ========
@@ -1211,7 +1264,7 @@ session required pam_limits.so
auth [success=2 default=ignore] pam_exec.so quiet /usr/local/libexec/ciss_pam_2fa_gate.sh
# For listed users: enforce that the secret file exists, else deny without prompting.
# pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
# pam_google_authenticator will itself fail if the file is absent.
# No 'nullok' here: listed users MUST have a secret; missing -> hard fail.
auth required pam_echo.so file=/etc/ciss/pam_su_totp.prompt
auth required pam_google_authenticator.so
@@ -1222,6 +1275,9 @@ auth required pam_google_authenticator.so
@include common-account
@include common-session
# Sets up user limits according to /etc/security/limits.conf. (Replaces the use of /etc/limits in old login).
session required pam_limits.so
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
@@ -1239,6 +1295,47 @@ EOF
# shellcheck disable=SC2034
readonly -f write_pam_su
#######################################
# Writes CISS Header for '/etc/pam.d/sudo'.
# Globals:
# None
# Arguments:
# 1: TARGET
# Returns:
# 0: on success
#######################################
write_pam_sudo() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_target="$1"
mv "${var_target}/etc/pam.d/sudo-i" "${var_target}/root/.ciss/cdi/backup/etc/pam.d/sudo"
insert_header "${var_target}/etc/pam.d/sudo"
insert_comments "${var_target}/etc/pam.d/sudo"
cat << EOF >> "${var_target}/etc/pam.d/sudo"
#
# PAM configuration for the sudo service
#
# Sets up user limits according to /etc/security/limits.conf. (Replaces the use of /etc/limits in old login).
session required pam_limits.so
# Standard password for the target account (root or other). pam_unix.so with: try_first_pass nodelay (without nullok).
@include common-auth
@include common-account
@include common-session-noninteractive
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
do_log "info" "file_only" "4520() Written: [/etc/pam.d/sudo]."
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f write_pam_sudo
#######################################
# Writes CISS Header for '/etc/pam.d/sudo-i'.
# Globals:
@@ -1258,14 +1355,14 @@ write_pam_sudo-i() {
insert_comments "${var_target}/etc/pam.d/sudo-i"
cat << EOF >> "${var_target}/etc/pam.d/sudo-i"
#
# PAM configuration for the sudo service
# PAM configuration for the sudo-i service
#
# Reuse a recent successful auth to avoid re-prompting within the TTL.
auth sufficient pam_timestamp.so
# Reuse of recent auth: handled by sudoers 'timestamp_timeout', not by PAM.
#auth sufficient pam_timestamp.so
# Standard UNIX password:
@include common-auth
# Standard password for the target account (root or other). pam_unix.so with: try_first_pass nodelay (without nullok).
@include common-auth
# ===== CISS 2FA block ========
@@ -1286,8 +1383,11 @@ auth required pam_google_authenticator.so
@include common-account
@include common-session
# Maintain a pam_timestamp ticket on successful sudo to suppress re-prompts.
session optional pam_timestamp.so
# Sets up user limits according to /etc/security/limits.conf. (Replaces the use of /etc/limits in old login).
session required pam_limits.so
# Maintain a pam_timestamp ticket on successful sudo to suppress re-prompts, handled by sudoers 'timestamp_timeout', not by PAM.
#session optional pam_timestamp.so
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF

6
includes/target/usr/local/libexec/ciss_pam_2fa_gate.sh
View File

@@ -21,7 +21,7 @@ set -Ceuo pipefail
### Declare Arrays, HashMaps, and Variables.
declare -g VAR_MAP_FILE="/etc/ciss/2fa.map"
declare -g VAR_POLICY="${CISS_POLICY:-strict}"
declare -g VAR_BINDING="${CISS_SU_BINDING:-caller}"
declare -g VAR_BINDING="${CISS_SU_BINDING:-target}"
declare -g VAR_U=""
### PAM variables provided by pam_exec:
@@ -55,7 +55,7 @@ identify_subject() {
;;
su|su-l)
### Default: Bind su policy to the caller. Set CISS_SU_BINDING="target" if you want policy bound to the target account.
### Default: Bind su policy to the target. Set CISS_SU_BINDING="caller" if you want policy bound to the caller account.
case "${VAR_BINDING,,}" in
caller) echo "${PAM_RUSER:-${PAM_USER:-}}" ;;
@@ -138,7 +138,7 @@ map_service_to_col() {
sshd) echo 3 ;;
su|su-l) echo 4 ;;
sudo|sudo-i) echo 5 ;;
*) echo 0 ;; # Unknown services => behave as "not enforced".
*) echo 0 ;; # Unknown services => behave as "not enforced".
esac
return 0