V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-21 07:59:51 +01:00
parent 45b4bd7f12
commit 82096f7b7d
3 changed files with 231 additions and 105 deletions
--- a/func/cdi_4400_hardening/4420_hardening_fail2ban.sh
+++ b/func/cdi_4400_hardening/4420_hardening_fail2ban.sh
@@ -94,18 +94,31 @@ EOF
    fi
    cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
-maxretry  = 8
+maxretry              = 3
-findtime  = 24h
+findtime              = 1d
-bantime   = 24h
+bantime               = 1h
 bantime.increment     = true
 bantime.factor        = 1
 bantime.maxtime       = 16d
 bantime.overalljails  = true
 bantime.rndtime       = 877s
 [recidive]
 enabled               = true
 filter                = recidive
 logpath               = /var/log/fail2ban/fail2ban.log*
 banaction             = iptables-allports
-bantime   = 32d
+maxretry              = 3
-findtime  = 384d
+findtime              = 16d
-maxretry  = 4
+bantime               = 8d
 bantime.increment     = true
 bantime.factor        = 1
 bantime.maxtime       = 96d
 bantime.multipliers   = 1, 2, 4, 8
 bantime.overalljails  = true
 bantime.rndtime       = 877s
 [sshd]
 enabled               = true
@@ -115,9 +128,8 @@ mode      = normal
 port                  = ${VAR_SSH_PORT}
 protocol              = tcp
 logpath               = /var/log/auth.log
-maxretry  = 3
+maxretry              = 4
-findtime  = 24h
+
 bantime   = 24h
 #
 # ufw aggressive approach:
@@ -131,8 +143,6 @@ filter    = ciss.ufw
 action                = iptables-allports
 logpath               = /var/log/ufw.log
 maxretry              = 1
 findtime  = 24h
 bantime   = 24h
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
@@ -143,7 +153,13 @@ EOF
    cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
 [DEFAULT]
 usedns                = yes
-ignoreip  = 127.0.0.0/8 ::1
+#                       127.0.0.1/8 – IPv4 loopback range (local host)
 #                       ::1/128     – IPv6 loopback
 #                       fe80::/10   – IPv6 link-local (on-link only; NDP/RA/DAD)
 #                       fc00::/7    – IPv6 ULA (private LAN addresses)
 #                       ff00::/8    – IPv6 multicast (not an unicast host)
 #                       ::/128      – IPv6 unspecified (all zeros; never a real peer)
 ignoreip              = 127.0.0.1/8 ::1/128 fe80::/10 fc00::/7 ff00::/8 ::/128
 # ${VAR_FINAL_FQDN}
  ${VAR_FINAL_IPV4}
 EOF
@@ -156,18 +172,31 @@ EOF
    fi
    cat << EOF >> "${var_target}/etc/fail2ban/jail.d/ciss-default.conf"
-maxretry  = 8
+maxretry              = 3
-findtime  = 24h
+findtime              = 1d
-bantime   = 24h
+bantime               = 1h
 bantime.increment     = true
 bantime.factor        = 1
 bantime.maxtime       = 16d
 bantime.overalljails  = true
 bantime.rndtime       = 877s
 [recidive]
 enabled               = true
 filter                = recidive
 logpath               = /var/log/fail2ban/fail2ban.log*
 banaction             = iptables-allports
-bantime   = 32d
+maxretry              = 3
-findtime  = 384d
+findtime              = 16d
-maxretry  = 4
+bantime               = 8d
 bantime.increment     = true
 bantime.factor        = 1
 bantime.maxtime       = 96d
 bantime.multipliers   = 1, 2, 4, 8
 bantime.overalljails  = true
 bantime.rndtime       = 877s
 [sshd]
 enabled               = true
@@ -177,9 +206,8 @@ mode      = normal
 port                  = ${VAR_SSH_PORT}
 protocol              = tcp
 logpath               = /var/log/auth.log
-maxretry  = 3
+maxretry              = 4
-findtime  = 24h
+
 bantime   = 24h
 #
 # ufw aggressive approach:
@@ -192,9 +220,7 @@ enabled   = true
 filter                = ciss.ufw
 action                = iptables-allports
 logpath               = /var/log/ufw.log
-maxretry  = 8
+maxretry              = 4
 findtime  = 24h
 bantime   = 24h
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
--- a/func/cdi_4500_user/4520_accounts_setup.sh
+++ b/func/cdi_4500_user/4520_accounts_setup.sh
@@ -58,9 +58,11 @@ accounts_setup() {
  ### Update pam modules for 2fa.
  mkdir -p "${var_target}/root/.ciss/cdi/backup/etc/pam.d"
  write_pam_common_auth "${var_target}"
  write_pam_login       "${var_target}"
  write_pam_sshd        "${var_target}"
  write_pam_su          "${var_target}"
  write_pam_sudo        "${var_target}"
  write_pam_sudo-i      "${var_target}"
  ### Prepare the '2fa'-seed variable.
@@ -580,6 +582,7 @@ hardening_sudo() {
    cat << 'EOF' >> "${var_sudoers_main}"
 ##### Added by CISS.debian.installer
 Defaults timestamp_timeout=480
 Defaults log_host, log_year, log_input, log_exit_status, log_subcmds, logfile="/var/log/sudo.log", iolog_dir="/var/log/sudo-io"
 EOF
  fi
@@ -931,6 +934,59 @@ write_google_authenticator_file() {
 # shellcheck disable=SC2034
 readonly -f write_google_authenticator_file
 #######################################
 # Writes CISS Header for '/etc/pam.d/common-auth'.
 # Globals:
 #   None
 # Arguments:
 #   1: TARGET
 # Returns:
 #   0: on success
 #######################################
 write_pam_common_auth() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -r  var_target="$1"
  mv "${var_target}/etc/pam.d/common-auth" "${var_target}/root/.ciss/cdi/backup/etc/pam.d/common-auth"
  insert_header   "${var_target}/etc/pam.d/common-auth"
  insert_comments "${var_target}/etc/pam.d/common-auth"
  cat << EOF >>   "${var_target}/etc/pam.d/common-auth"
 #
 # /etc/pam.d/common-auth - authentication settings common to all services
 #
 # This file is included from other service-specific PAM config files, and should contain a list of the authentication modules
 # that define the central authentication scheme for use on the system (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is
 # to use the traditional Unix authentication mechanisms.
 # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. To take advantage of this, it is recommended that you
 # configure any local modules either before or after the default block, and use pam-auth-update to manage selection of other
 # modules. See pam-auth-update(8) for details.
 # Here are the per-package modules (the "Primary" block):
 auth	              [success=1 default=ignore] pam_unix.so try_first_pass nodelay
 # Here is the fallback if no module succeeds:
 auth	   requisite  pam_deny.so
 # Prime the stack with a positive return value if there is not one already; this avoids us returning an error just because
 # nothing sets a success code since the modules above will each just jump around.
 auth	   required   pam_permit.so
 # And here are more per-package modules (the "Additional" block):
 # End of pam-auth-update config.
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
  do_log "info" "file_only" "4520() Written: [/etc/pam.d/common-auth]."
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f write_pam_common_auth
 #######################################
 # Writes CISS Header for '/etc/pam.d/login'.
 # Globals:
@@ -958,17 +1014,17 @@ write_pam_login() {
 # Root only on secure ttys listed in '/etc/securetty' (fail fast, no prompts).
 auth     requisite  pam_securetty.so
 # Disallows other than root logins when /etc/nologin exists. (Replaces the 'NOLOGINS_FILE' option from login.defs).
 auth     requisite  pam_nologin.so
 # Enforce a minimal delay in case of failure (in microseconds). (Replaces the 'FAIL_DELAY' setting from login.defs).
 # Note that other modules may require another minimal delay. (For example, to disable any delay, you should add the 'nodelay'
 # option to pam_unix).
-auth     optional   pam_faildelay.so delay=3200000
+auth     optional   pam_faildelay.so delay=3200000 # 3.2 seconds
 # Outputs an issue file prior to each login prompt (Replaces the ISSUE_FILE option from login.defs). Uncomment for use.
 #auth    required   pam_issue.so issue=/etc/issue
 # Disallows other than root logins when /etc/nologin exists. (Replaces the 'NOLOGINS_FILE' option from login.defs).
 auth     requisite  pam_nologin.so
 # SELinux needs to be the first session rule. This ensures that any lingering context has been cleared. Without this it is
 # possible that a module could execute code in the wrong domain. When the module is present, "required" would be sufficient
 # (When SELinux is disabled, this returns success.)
@@ -995,7 +1051,7 @@ session  required   pam_env.so readenv=1
 # Locale variables can also be set in /etc/default/locale reading this file *in addition to /etc/environment* does not hurt.
 session  required   pam_env.so readenv=1 envfile=/etc/default/locale
-# Standard Un*x authentication.
+# Standard password for the target account (root or other). pam_unix.so with: try_first_pass nodelay (without nullok).
@include            common-auth
@@ -1005,7 +1061,7 @@ session  required   pam_env.so readenv=1 envfile=/etc/default/locale
 auth                [success=2 default=ignore] pam_exec.so quiet /usr/local/libexec/ciss_pam_2fa_gate.sh
 # For listed users: enforce that the secret file exists, else deny without prompting.
-# pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
+# pam_google_authenticator will itself fail if the file is absent.
 # No 'nullok' here: listed users MUST have a secret; missing -> hard fail.
 auth     required   pam_echo.so file=/etc/ciss/pam_login_totp.prompt
 auth     required   pam_google_authenticator.so
@@ -1017,8 +1073,6 @@ auth     required   pam_google_authenticator.so
 # edit /etc/security/group.conf to fit your needs (Replaces the 'CONSOLE_GROUPS' option in login.defs).
 auth     optional   pam_group.so
 # Uncomment and edit /etc/security/time.conf if you need to set time restraint on logins. (Replaces the 'PORTTIME_CHECKS_ENAB'
 # option from login.defs as well as /etc/porttime).
 #account requisite  pam_time.so
@@ -1083,13 +1137,15 @@ write_pam_sshd() {
 # PAM configuration for the Secure Shell service
 #
 auth     optional   pam_warn.so
 # ===== CISS 2FA block  ========
 # If gate returns SUCCESS => skip next two lines (no TOTP).
 auth                [success=2 default=ignore] pam_exec.so quiet /usr/local/libexec/ciss_pam_2fa_gate.sh
 # For listed users: enforce that the secret file exists, else deny without prompting.
-# pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
+# pam_google_authenticator will itself fail if the file is absent.
 # No 'nullok' here: listed users MUST have a secret; missing -> hard fail.
 auth     required   pam_echo.so file=/etc/ciss/pam_ssh_totp.prompt
 auth     required   pam_google_authenticator.so
@@ -1103,8 +1159,9 @@ auth     sufficient pam_permit.so
 # Keep the rest as shipped by Debian. It will be short-circuited by pam_permit for KI and never reached for 2FA users after
 # successful GA.
-# Standard Un*x authentication.
+# Standard password for the target account (root or other). pam_unix.so with: try_first_pass nodelay (without nullok).
-@include common-auth
+# (omitted deliberately: CISS SSH uses KI/TOTP only; no password path)
 # @include          common-auth
 # Disallow non-root logins when /etc/nologin exists.
 account  required   pam_nologin.so
@@ -1136,7 +1193,7 @@ session  optional   pam_motd.so noupdate
 # Print the status of the user's mailbox upon successful login.
 session  optional   pam_mail.so standard noenv
-# Set up user limits from /etc/security/limits.conf.
+# Sets up user limits according to /etc/security/limits.conf. (Replaces the use of /etc/limits in old login).
 session  required   pam_limits.so
 # Read environment variables from /etc/environment and /etc/security/pam_env.conf.
@@ -1197,11 +1254,7 @@ auth     sufficient pam_rootok.so
 # Hardening of '/bin/su': only members of the group 'sudo' can su to root.
 auth     required   pam_wheel.so group=sudo
-# Sets up user limits according to /etc/security/limits.conf
+# Standard password for the target account (root or other). pam_unix.so with: try_first_pass nodelay (without nullok).
 # (Replaces the use of /etc/limits in old login)
 session  required   pam_limits.so
 # Standard password for the target account (root or other):
@include            common-auth
@@ -1211,7 +1264,7 @@ session  required   pam_limits.so
 auth                [success=2 default=ignore] pam_exec.so quiet /usr/local/libexec/ciss_pam_2fa_gate.sh
 # For listed users: enforce that the secret file exists, else deny without prompting.
-# pam_google_authenticator will itself fail if the file is absent; we add a clear hint before it.
+# pam_google_authenticator will itself fail if the file is absent.
 # No 'nullok' here: listed users MUST have a secret; missing -> hard fail.
 auth     required   pam_echo.so file=/etc/ciss/pam_su_totp.prompt
 auth     required   pam_google_authenticator.so
@@ -1222,6 +1275,9 @@ auth     required   pam_google_authenticator.so
@include common-account
@include common-session
 # Sets up user limits according to /etc/security/limits.conf. (Replaces the use of /etc/limits in old login).
 session  required   pam_limits.so
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
@@ -1239,6 +1295,47 @@ EOF
 # shellcheck disable=SC2034
 readonly -f write_pam_su
 #######################################
 # Writes CISS Header for '/etc/pam.d/sudo'.
 # Globals:
 #   None
 # Arguments:
 #   1: TARGET
 # Returns:
 #   0: on success
 #######################################
 write_pam_sudo() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -r  var_target="$1"
  mv "${var_target}/etc/pam.d/sudo-i" "${var_target}/root/.ciss/cdi/backup/etc/pam.d/sudo"
  insert_header   "${var_target}/etc/pam.d/sudo"
  insert_comments "${var_target}/etc/pam.d/sudo"
  cat << EOF >>   "${var_target}/etc/pam.d/sudo"
 #
 # PAM configuration for the sudo service
 #
 # Sets up user limits according to /etc/security/limits.conf. (Replaces the use of /etc/limits in old login).
 session  required   pam_limits.so
 # Standard password for the target account (root or other). pam_unix.so with: try_first_pass nodelay (without nullok).
@include            common-auth
@include            common-account
@include            common-session-noninteractive
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
  do_log "info" "file_only" "4520() Written: [/etc/pam.d/sudo]."
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f write_pam_sudo
 #######################################
 # Writes CISS Header for '/etc/pam.d/sudo-i'.
 # Globals:
@@ -1258,13 +1355,13 @@ write_pam_sudo-i() {
  insert_comments "${var_target}/etc/pam.d/sudo-i"
  cat << EOF >>   "${var_target}/etc/pam.d/sudo-i"
 #
-# PAM configuration for the sudo service
+# PAM configuration for the sudo-i service
 #
-# Reuse a recent successful auth to avoid re-prompting within the TTL.
+# Reuse of recent auth: handled by sudoers 'timestamp_timeout', not by PAM.
-auth     sufficient pam_timestamp.so
+#auth    sufficient pam_timestamp.so
-# Standard UNIX password:
+# Standard password for the target account (root or other). pam_unix.so with: try_first_pass nodelay (without nullok).
@include            common-auth
@@ -1286,8 +1383,11 @@ auth     required   pam_google_authenticator.so
@include common-account
@include common-session
-# Maintain a pam_timestamp ticket on successful sudo to suppress re-prompts.
+# Sets up user limits according to /etc/security/limits.conf. (Replaces the use of /etc/limits in old login).
-session  optional   pam_timestamp.so
+session  required   pam_limits.so
 # Maintain a pam_timestamp ticket on successful sudo to suppress re-prompts, handled by sudoers 'timestamp_timeout', not by PAM.
 #session optional   pam_timestamp.so
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
--- a/includes/target/usr/local/libexec/ciss_pam_2fa_gate.sh
+++ b/includes/target/usr/local/libexec/ciss_pam_2fa_gate.sh
@@ -21,7 +21,7 @@ set -Ceuo pipefail
 ### Declare Arrays, HashMaps, and Variables.
 declare -g VAR_MAP_FILE="/etc/ciss/2fa.map"
 declare -g VAR_POLICY="${CISS_POLICY:-strict}"
-declare -g VAR_BINDING="${CISS_SU_BINDING:-caller}"
+declare -g VAR_BINDING="${CISS_SU_BINDING:-target}"
 declare -g VAR_U=""
 ### PAM variables provided by pam_exec:
@@ -55,7 +55,7 @@ identify_subject() {
      ;;
    su|su-l)
-      ### Default: Bind su policy to the caller. Set CISS_SU_BINDING="target" if you want policy bound to the target account.
+      ### Default: Bind su policy to the target. Set CISS_SU_BINDING="caller" if you want policy bound to the caller account.
      case "${VAR_BINDING,,}" in
        caller) echo "${PAM_RUSER:-${PAM_USER:-}}" ;;