V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_4400_hardening/4420_hardening_fail2ban.sh

@@ -94,18 +94,31 @@ EOF
     fi
 
     cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
-maxretry  = 8
-findtime  = 24h
-bantime   = 24h
+maxretry              = 3
+findtime              = 1d
+bantime               = 1h
+bantime.increment     = true
+bantime.factor        = 1
+bantime.maxtime       = 16d
+bantime.overalljails  = true
+bantime.rndtime       = 877s
+
 
 [recidive]
 enabled               = true
 filter                = recidive
 logpath               = /var/log/fail2ban/fail2ban.log*
 banaction             = iptables-allports
-bantime   = 32d
-findtime  = 384d
-maxretry  = 4
+maxretry              = 3
+findtime              = 16d
+bantime               = 8d
+bantime.increment     = true
+bantime.factor        = 1
+bantime.maxtime       = 96d
+bantime.multipliers   = 1, 2, 4, 8
+bantime.overalljails  = true
+bantime.rndtime       = 877s
+
 
 [sshd]
 enabled               = true
@@ -115,9 +128,8 @@ mode      = normal
 port                  = ${VAR_SSH_PORT}
 protocol              = tcp
 logpath               = /var/log/auth.log
-maxretry  = 3
-findtime  = 24h
-bantime   = 24h
+maxretry              = 4
+
 
 #
 # ufw aggressive approach:
@@ -131,8 +143,6 @@ filter    = ciss.ufw
 action                = iptables-allports
 logpath               = /var/log/ufw.log
 maxretry              = 1
-findtime  = 24h
-bantime   = 24h
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
@@ -143,7 +153,13 @@ EOF
     cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
 [DEFAULT]
 usedns                = yes
-ignoreip  = 127.0.0.0/8 ::1
+#                       127.0.0.1/8 – IPv4 loopback range (local host)
+#                       ::1/128     – IPv6 loopback
+#                       fe80::/10   – IPv6 link-local (on-link only; NDP/RA/DAD)
+#                       fc00::/7    – IPv6 ULA (private LAN addresses)
+#                       ff00::/8    – IPv6 multicast (not an unicast host)
+#                       ::/128      – IPv6 unspecified (all zeros; never a real peer)
+ignoreip              = 127.0.0.1/8 ::1/128 fe80::/10 fc00::/7 ff00::/8 ::/128
 # ${VAR_FINAL_FQDN}
   ${VAR_FINAL_IPV4}
 EOF
@@ -156,18 +172,31 @@ EOF
     fi
 
     cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
-maxretry  = 8
-findtime  = 24h
-bantime   = 24h
+maxretry              = 3
+findtime              = 1d
+bantime               = 1h
+bantime.increment     = true
+bantime.factor        = 1
+bantime.maxtime       = 16d
+bantime.overalljails  = true
+bantime.rndtime       = 877s
+
 
 [recidive]
 enabled               = true
 filter                = recidive
 logpath               = /var/log/fail2ban/fail2ban.log*
 banaction             = iptables-allports
-bantime   = 32d
-findtime  = 384d
-maxretry  = 4
+maxretry              = 3
+findtime              = 16d
+bantime               = 8d
+bantime.increment     = true
+bantime.factor        = 1
+bantime.maxtime       = 96d
+bantime.multipliers   = 1, 2, 4, 8
+bantime.overalljails  = true
+bantime.rndtime       = 877s
+
 
 [sshd]
 enabled               = true
@@ -177,9 +206,8 @@ mode      = normal
 port                  = ${VAR_SSH_PORT}
 protocol              = tcp
 logpath               = /var/log/auth.log
-maxretry  = 3
-findtime  = 24h
-bantime   = 24h
+maxretry              = 4
+
 
 #
 # ufw aggressive approach:
@@ -192,9 +220,7 @@ enabled   = true
 filter                = ciss.ufw
 action                = iptables-allports
 logpath               = /var/log/ufw.log
-maxretry  = 8
-findtime  = 24h
-bantime   = 24h
+maxretry              = 4
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF

func/cdi_4500_user/4520_accounts_setup.sh

@@ -58,9 +58,11 @@ accounts_setup() {
 
   ### Update pam modules for 2fa.
   mkdir -p "${var_target}/root/.ciss/cdi/backup/etc/pam.d"
+  write_pam_common_auth "${var_target}"
   write_pam_login       "${var_target}"
   write_pam_sshd        "${var_target}"
   write_pam_su          "${var_target}"
+  write_pam_sudo        "${var_target}"
   write_pam_sudo-i      "${var_target}"
 
   ### Prepare the '2fa'-seed variable.
@@ -580,6 +582,7 @@ hardening_sudo() {
     cat << 'EOF' >> "${var_sudoers_main}"
 
 ##### Added by CISS.debian.installer
+Defaults timestamp_timeout=480
 Defaults log_host, log_year, log_input, log_exit_status, log_subcmds, logfile="/var/log/sudo.log", iolog_dir="/var/log/sudo-io"
 EOF
   fi
@@ -931,6 +934,59 @@ write_google_authenticator_file() {
 # shellcheck disable=SC2034
 readonly -f write_google_authenticator_file
 
+#######################################
+# Writes CISS Header for '/etc/pam.d/common-auth'.
+# Globals:
+#   None
+# Arguments:
+#   1: TARGET
+# Returns:
+#   0: on success
+#######################################
+write_pam_common_auth() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r  var_target="$1"
+
+  mv "${var_target}/etc/pam.d/common-auth" "${var_target}/root/.ciss/cdi/backup/etc/pam.d/common-auth"
+
+  insert_header   "${var_target}/etc/pam.d/common-auth"
+  insert_comments "${var_target}/etc/pam.d/common-auth"
+  cat << EOF >>   "${var_target}/etc/pam.d/common-auth"
+#
+# /etc/pam.d/common-auth - authentication settings common to all services
+#
+
+# This file is included from other service-specific PAM config files, and should contain a list of the authentication modules
+# that define the central authentication scheme for use on the system (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is
+# to use the traditional Unix authentication mechanisms.
+
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. To take advantage of this, it is recommended that you
+# configure any local modules either before or after the default block, and use pam-auth-update to manage selection of other
+# modules. See pam-auth-update(8) for details.
+
+# Here are the per-package modules (the "Primary" block):
+auth	              [success=1 default=ignore] pam_unix.so try_first_pass nodelay
+
+# Here is the fallback if no module succeeds:
+auth	   requisite  pam_deny.so
+
+# Prime the stack with a positive return value if there is not one already; this avoids us returning an error just because
+# nothing sets a success code since the modules above will each just jump around.
+auth	   required   pam_permit.so
+
+# And here are more per-package modules (the "Additional" block):
+
+# End of pam-auth-update config.
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+  do_log "info" "file_only" "4520() Written: [/etc/pam.d/common-auth]."
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f write_pam_common_auth
+
 #######################################
 # Writes CISS Header for '/etc/pam.d/login'.
 # Globals:
@@ -958,17 +1014,17 @@ write_pam_login() {
 # Root only on secure ttys listed in '/etc/securetty' (fail fast, no prompts).
 auth     requisite  pam_securetty.so
 
+# Disallows other than root logins when /etc/nologin exists. (Replaces the 'NOLOGINS_FILE' option from login.defs).
+auth     requisite  pam_nologin.so
+
 # Enforce a minimal delay in case of failure (in microseconds). (Replaces the 'FAIL_DELAY' setting from login.defs).
 # Note that other modules may require another minimal delay. (For example, to disable any delay, you should add the 'nodelay'
 # option to pam_unix).
-auth     optional   pam_faildelay.so delay=3200000
+auth     optional   pam_faildelay.so delay=3200000 # 3.2 seconds
 
 # Outputs an issue file prior to each login prompt (Replaces the ISSUE_FILE option from login.defs). Uncomment for use.
 #auth    required   pam_issue.so issue=/etc/issue
 
-# Disallows other than root logins when /etc/nologin exists. (Replaces the 'NOLOGINS_FILE' option from login.defs).
-auth     requisite  pam_nologin.so
-
 # SELinux needs to be the first session rule. This ensures that any lingering context has been cleared. Without this it is
 # possible that a module could execute code in the wrong domain. When the module is present, "required" would be sufficient
 # (When SELinux is disabled, this returns success.)
@@ -995,7 +1051,7 @@ session  required   pam_env.so readenv=1
 # Locale variables can also be set in /etc/default/locale reading this file *in addition to /etc/environment* does not hurt.
 session  required   pam_env.so readenv=1 envfile=/etc/default/locale
 
-# Standard Un*x authentication.
+# Standard password for the target account (root or other). pam_unix.so with: try_first_pass nodelay (without nullok).
 @include            common-auth
 
 
@@ -1005,7 +1061,7 @@ session  required   pam_env.so readenv=1 envfile=/etc/default/locale
 auth                [success=2 default=ignore] pam_exec.so quiet /usr/local/libexec/ciss_pam_2fa_gate.sh
 
 # For listed users: enforce that the secret file exists, else deny without prompting.
-# pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
+# pam_google_authenticator will itself fail if the file is absent.
 # No 'nullok' here: listed users MUST have a secret; missing -> hard fail.
 auth     required   pam_echo.so file=/etc/ciss/pam_login_totp.prompt
 auth     required   pam_google_authenticator.so
@@ -1017,8 +1073,6 @@ auth     required   pam_google_authenticator.so
 # edit /etc/security/group.conf to fit your needs (Replaces the 'CONSOLE_GROUPS' option in login.defs).
 auth     optional   pam_group.so
 
-
-
 # Uncomment and edit /etc/security/time.conf if you need to set time restraint on logins. (Replaces the 'PORTTIME_CHECKS_ENAB'
 # option from login.defs as well as /etc/porttime).
 #account requisite  pam_time.so
@@ -1083,13 +1137,15 @@ write_pam_sshd() {
 # PAM configuration for the Secure Shell service
 #
 
+auth     optional   pam_warn.so
+
 # ===== CISS 2FA block  ========
 
 # If gate returns SUCCESS => skip next two lines (no TOTP).
 auth                [success=2 default=ignore] pam_exec.so quiet /usr/local/libexec/ciss_pam_2fa_gate.sh
 
 # For listed users: enforce that the secret file exists, else deny without prompting.
-# pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
+# pam_google_authenticator will itself fail if the file is absent.
 # No 'nullok' here: listed users MUST have a secret; missing -> hard fail.
 auth     required   pam_echo.so file=/etc/ciss/pam_ssh_totp.prompt
 auth     required   pam_google_authenticator.so
@@ -1103,8 +1159,9 @@ auth     sufficient pam_permit.so
 # Keep the rest as shipped by Debian. It will be short-circuited by pam_permit for KI and never reached for 2FA users after
 # successful GA.
 
-# Standard Un*x authentication.
-@include common-auth
+# Standard password for the target account (root or other). pam_unix.so with: try_first_pass nodelay (without nullok).
+# (omitted deliberately: CISS SSH uses KI/TOTP only; no password path)
+# @include          common-auth
 
 # Disallow non-root logins when /etc/nologin exists.
 account  required   pam_nologin.so
@@ -1136,7 +1193,7 @@ session  optional   pam_motd.so noupdate
 # Print the status of the user's mailbox upon successful login.
 session  optional   pam_mail.so standard noenv
 
-# Set up user limits from /etc/security/limits.conf.
+# Sets up user limits according to /etc/security/limits.conf. (Replaces the use of /etc/limits in old login).
 session  required   pam_limits.so
 
 # Read environment variables from /etc/environment and /etc/security/pam_env.conf.
@@ -1197,11 +1254,7 @@ auth     sufficient pam_rootok.so
 # Hardening of '/bin/su': only members of the group 'sudo' can su to root.
 auth     required   pam_wheel.so group=sudo
 
-# Sets up user limits according to /etc/security/limits.conf
-# (Replaces the use of /etc/limits in old login)
-session  required   pam_limits.so
-
-# Standard password for the target account (root or other):
+# Standard password for the target account (root or other). pam_unix.so with: try_first_pass nodelay (without nullok).
 @include            common-auth
 
 
@@ -1211,7 +1264,7 @@ session  required   pam_limits.so
 auth                [success=2 default=ignore] pam_exec.so quiet /usr/local/libexec/ciss_pam_2fa_gate.sh
 
 # For listed users: enforce that the secret file exists, else deny without prompting.
-# pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
+# pam_google_authenticator will itself fail if the file is absent.
 # No 'nullok' here: listed users MUST have a secret; missing -> hard fail.
 auth     required   pam_echo.so file=/etc/ciss/pam_su_totp.prompt
 auth     required   pam_google_authenticator.so
@@ -1222,6 +1275,9 @@ auth     required   pam_google_authenticator.so
 @include common-account
 @include common-session
 
+# Sets up user limits according to /etc/security/limits.conf. (Replaces the use of /etc/limits in old login).
+session  required   pam_limits.so
+
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 
@@ -1239,6 +1295,47 @@ EOF
 # shellcheck disable=SC2034
 readonly -f write_pam_su
 
+#######################################
+# Writes CISS Header for '/etc/pam.d/sudo'.
+# Globals:
+#   None
+# Arguments:
+#   1: TARGET
+# Returns:
+#   0: on success
+#######################################
+write_pam_sudo() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r  var_target="$1"
+
+  mv "${var_target}/etc/pam.d/sudo-i" "${var_target}/root/.ciss/cdi/backup/etc/pam.d/sudo"
+
+  insert_header   "${var_target}/etc/pam.d/sudo"
+  insert_comments "${var_target}/etc/pam.d/sudo"
+  cat << EOF >>   "${var_target}/etc/pam.d/sudo"
+#
+# PAM configuration for the sudo service
+#
+
+# Sets up user limits according to /etc/security/limits.conf. (Replaces the use of /etc/limits in old login).
+session  required   pam_limits.so
+
+# Standard password for the target account (root or other). pam_unix.so with: try_first_pass nodelay (without nullok).
+@include            common-auth
+@include            common-account
+@include            common-session-noninteractive
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+  do_log "info" "file_only" "4520() Written: [/etc/pam.d/sudo]."
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f write_pam_sudo
+
 #######################################
 # Writes CISS Header for '/etc/pam.d/sudo-i'.
 # Globals:
@@ -1258,13 +1355,13 @@ write_pam_sudo-i() {
   insert_comments "${var_target}/etc/pam.d/sudo-i"
   cat << EOF >>   "${var_target}/etc/pam.d/sudo-i"
 #
-# PAM configuration for the sudo service
+# PAM configuration for the sudo-i service
 #
 
-# Reuse a recent successful auth to avoid re-prompting within the TTL.
-auth     sufficient pam_timestamp.so
+# Reuse of recent auth: handled by sudoers 'timestamp_timeout', not by PAM.
+#auth    sufficient pam_timestamp.so
 
-# Standard UNIX password:
+# Standard password for the target account (root or other). pam_unix.so with: try_first_pass nodelay (without nullok).
 @include            common-auth
 
 
@@ -1286,8 +1383,11 @@ auth     required   pam_google_authenticator.so
 @include common-account
 @include common-session
 
-# Maintain a pam_timestamp ticket on successful sudo to suppress re-prompts.
-session  optional   pam_timestamp.so
+# Sets up user limits according to /etc/security/limits.conf. (Replaces the use of /etc/limits in old login).
+session  required   pam_limits.so
+
+# Maintain a pam_timestamp ticket on successful sudo to suppress re-prompts, handled by sudoers 'timestamp_timeout', not by PAM.
+#session optional   pam_timestamp.so
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF

includes/target/usr/local/libexec/ciss_pam_2fa_gate.sh

@@ -21,7 +21,7 @@ set -Ceuo pipefail
 ### Declare Arrays, HashMaps, and Variables.
 declare -g VAR_MAP_FILE="/etc/ciss/2fa.map"
 declare -g VAR_POLICY="${CISS_POLICY:-strict}"
-declare -g VAR_BINDING="${CISS_SU_BINDING:-caller}"
+declare -g VAR_BINDING="${CISS_SU_BINDING:-target}"
 declare -g VAR_U=""
 
 ### PAM variables provided by pam_exec:
@@ -55,7 +55,7 @@ identify_subject() {
       ;;
 
     su|su-l)
-      ### Default: Bind su policy to the caller. Set CISS_SU_BINDING="target" if you want policy bound to the target account.
+      ### Default: Bind su policy to the target. Set CISS_SU_BINDING="caller" if you want policy bound to the caller account.
       case "${VAR_BINDING,,}" in
 
         caller) echo "${PAM_RUSER:-${PAM_USER:-}}" ;;