V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m51s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m51s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -851,11 +851,11 @@ user:
|
|||||||
sshpubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
|
sshpubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
|
||||||
authentication:
|
authentication:
|
||||||
access:
|
access:
|
||||||
ssh: true # Allow SSH access.
|
ssh: false # Allow SSH access.
|
||||||
tty: true # Allow TTY (local console) login.
|
tty: false # Allow TTY (local console) login.
|
||||||
password: true # Allow password login. SSH password login is always disabled.
|
password: true # Allow password login. SSH password login is always disabled.
|
||||||
2fa:
|
2fa:
|
||||||
ssh: false # Require 2FA for SSH access.
|
ssh: true # Require 2FA for SSH access.
|
||||||
tty: true # Require 2FA for TTY (local console) login.
|
tty: true # Require 2FA for TTY (local console) login.
|
||||||
privileges:
|
privileges:
|
||||||
description: "Root user with full system access and administrative privileges."
|
description: "Root user with full system access and administrative privileges."
|
||||||
|
|||||||
@@ -144,7 +144,7 @@ bantime.maxtime = 16d
|
|||||||
bantime.multipliers = 1 2 4 8 16 32 64 128 256 384
|
bantime.multipliers = 1 2 4 8 16 32 64 128 256 384
|
||||||
bantime.overalljails = true
|
bantime.overalljails = true
|
||||||
bantime.rndtime = 877s
|
bantime.rndtime = 877s
|
||||||
filter = ciss.icmp
|
filter = ciss-icmp
|
||||||
findtime = 16m
|
findtime = 16m
|
||||||
logpath = /var/log/ufw.log
|
logpath = /var/log/ufw.log
|
||||||
maxretry = 1
|
maxretry = 1
|
||||||
@@ -159,7 +159,7 @@ bantime.maxtime = 16d
|
|||||||
bantime.multipliers = 1 2 4 8 16 32 64 128 256 384
|
bantime.multipliers = 1 2 4 8 16 32 64 128 256 384
|
||||||
bantime.overalljails = true
|
bantime.overalljails = true
|
||||||
bantime.rndtime = 877s
|
bantime.rndtime = 877s
|
||||||
filter = ciss.ufw
|
filter = ciss-ufw
|
||||||
findtime = 16m
|
findtime = 16m
|
||||||
logpath = /var/log/ufw.log
|
logpath = /var/log/ufw.log
|
||||||
maxretry = 1
|
maxretry = 1
|
||||||
@@ -242,7 +242,7 @@ bantime.maxtime = 16d
|
|||||||
bantime.multipliers = 1 2 4 8 16 32 64 128 256 384
|
bantime.multipliers = 1 2 4 8 16 32 64 128 256 384
|
||||||
bantime.overalljails = true
|
bantime.overalljails = true
|
||||||
bantime.rndtime = 877s
|
bantime.rndtime = 877s
|
||||||
filter = ciss.icmp
|
filter = ciss-icmp
|
||||||
findtime = 16m
|
findtime = 16m
|
||||||
logpath = /var/log/ufw.log
|
logpath = /var/log/ufw.log
|
||||||
maxretry = 3
|
maxretry = 3
|
||||||
@@ -257,7 +257,7 @@ bantime.maxtime = 16d
|
|||||||
bantime.multipliers = 1 2 4 8 16 32 64 128 256 384
|
bantime.multipliers = 1 2 4 8 16 32 64 128 256 384
|
||||||
bantime.overalljails = true
|
bantime.overalljails = true
|
||||||
bantime.rndtime = 877s
|
bantime.rndtime = 877s
|
||||||
filter = ciss.ufw
|
filter = ciss-ufw
|
||||||
findtime = 16m
|
findtime = 16m
|
||||||
logpath = /var/log/ufw.log
|
logpath = /var/log/ufw.log
|
||||||
maxretry = 3
|
maxretry = 3
|
||||||
@@ -274,9 +274,9 @@ EOF
|
|||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
insert_header "${var_target}/etc/fail2ban/filter.d/ciss.icmp.conf"
|
insert_header "${var_target}/etc/fail2ban/filter.d/ciss-icmp.conf"
|
||||||
insert_comments "${var_target}/etc/fail2ban/filter.d/ciss.icmp.conf"
|
insert_comments "${var_target}/etc/fail2ban/filter.d/ciss-icmp.conf"
|
||||||
cat << EOF >> "${var_target}/etc/fail2ban/filter.d/ciss.icmp.conf"
|
cat << EOF >> "${var_target}/etc/fail2ban/filter.d/ciss-icmp.conf"
|
||||||
[Definition]
|
[Definition]
|
||||||
# Generic ICMP/ICMPv6 blocks
|
# Generic ICMP/ICMPv6 blocks
|
||||||
failregex = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?\bPROTO=ICMP\b.*$
|
failregex = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?\bPROTO=ICMP\b.*$
|
||||||
@@ -285,9 +285,9 @@ failregex = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?\bPROTO=ICMP\
|
|||||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
|
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
insert_header "${var_target}/etc/fail2ban/filter.d/ciss.ufw.conf"
|
insert_header "${var_target}/etc/fail2ban/filter.d/ciss-ufw.conf"
|
||||||
insert_comments "${var_target}/etc/fail2ban/filter.d/ciss.ufw.conf"
|
insert_comments "${var_target}/etc/fail2ban/filter.d/ciss-ufw.conf"
|
||||||
cat << EOF >> "${var_target}/etc/fail2ban/filter.d/ciss.ufw.conf"
|
cat << EOF >> "${var_target}/etc/fail2ban/filter.d/ciss-ufw.conf"
|
||||||
[Definition]
|
[Definition]
|
||||||
# Match UFW BLOCK/REJECT with a source IP and *any* port field (SPT or DPT), protocol may be missing.
|
# Match UFW BLOCK/REJECT with a source IP and *any* port field (SPT or DPT), protocol may be missing.
|
||||||
failregex = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?(?:\bDPT=\d+\b|\bSPT=\d+\b).*$
|
failregex = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?(?:\bDPT=\d+\b|\bSPT=\d+\b).*$
|
||||||
|
|||||||
@@ -43,22 +43,27 @@ guard_sourcing
|
|||||||
# '/etc/pam.d/common-session'
|
# '/etc/pam.d/common-session'
|
||||||
# '/etc/pam.d/common-session-noninteractive'
|
# '/etc/pam.d/common-session-noninteractive'
|
||||||
# Globals:
|
# Globals:
|
||||||
|
# RECOVERY
|
||||||
# TARGET
|
# TARGET
|
||||||
# VAR_ARCHITECTURE
|
# VAR_RUN_RECOVERY
|
||||||
# VAR_CODENAME
|
|
||||||
# VAR_VERSION
|
|
||||||
# Arguments:
|
# Arguments:
|
||||||
# None
|
# None
|
||||||
# Returns:
|
# Returns:
|
||||||
# 0: on success
|
# 0: on success
|
||||||
#######################################
|
#######################################
|
||||||
hardening_memory() {
|
hardening_memory() {
|
||||||
mkdir -p "${TARGET}/etc/systemd/coredump.conf.d"
|
### Declare Arrays, HashMaps, and Variables.
|
||||||
mkdir -p "${TARGET}/etc/systemd/system.conf.d"
|
declare var_target="${TARGET}"
|
||||||
|
|
||||||
insert_header "${TARGET}/etc/security/limits.d/99-ciss-core.conf"
|
### Check for TARGET / RECOVERY.
|
||||||
insert_comments "${TARGET}/etc/security/limits.d/99-ciss-core.conf"
|
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
|
||||||
cat << 'EOF' >> "${TARGET}/etc/security/limits.d/99-ciss-core.conf"
|
|
||||||
|
mkdir -p "${var_target}/etc/systemd/coredump.conf.d"
|
||||||
|
mkdir -p "${var_target}/etc/systemd/system.conf.d"
|
||||||
|
|
||||||
|
insert_header "${var_target}/etc/security/limits.d/99-ciss-core.conf"
|
||||||
|
insert_comments "${var_target}/etc/security/limits.d/99-ciss-core.conf"
|
||||||
|
cat << 'EOF' >> "${var_target}/etc/security/limits.d/99-ciss-core.conf"
|
||||||
# Enforce: no core dumps for all logins by default.
|
# Enforce: no core dumps for all logins by default.
|
||||||
# Format: <domain> <type> <item> <value>
|
# Format: <domain> <type> <item> <value>
|
||||||
* hard core 0
|
* hard core 0
|
||||||
@@ -70,9 +75,9 @@ root soft core 0
|
|||||||
EOF
|
EOF
|
||||||
|
|
||||||
|
|
||||||
insert_header "${TARGET}/etc/systemd/coredump.conf.d/disable.conf"
|
insert_header "${var_target}/etc/systemd/coredump.conf.d/disable.conf"
|
||||||
insert_comments "${TARGET}/etc/systemd/coredump.conf.d/disable.conf"
|
insert_comments "${var_target}/etc/systemd/coredump.conf.d/disable.conf"
|
||||||
cat << 'EOF' >> "${TARGET}/etc/systemd/coredump.conf.d/disable.conf"
|
cat << 'EOF' >> "${var_target}/etc/systemd/coredump.conf.d/disable.conf"
|
||||||
### Do not store core images anywhere, keep the at most minimal metadata.
|
### Do not store core images anywhere, keep the at most minimal metadata.
|
||||||
|
|
||||||
[Coredump]
|
[Coredump]
|
||||||
@@ -85,20 +90,26 @@ JournalSizeMax=0
|
|||||||
EOF
|
EOF
|
||||||
|
|
||||||
|
|
||||||
[[ -f "${TARGET}/etc/systemd/system.conf.d/10-coredump-debian.conf" ]] && \
|
[[ -f "${var_target}/etc/systemd/system.conf.d/10-coredump-debian.conf" ]] && \
|
||||||
mv "${TARGET}/etc/systemd/system.conf.d/10-coredump-debian.conf" "${TARGET}/etc/systemd/system.conf.d/10-coredump-debian.conf.bak"
|
mv "${var_target}/etc/systemd/system.conf.d/10-coredump-debian.conf" "${var_target}/etc/systemd/system.conf.d/10-coredump-debian.conf.bak"
|
||||||
|
|
||||||
|
|
||||||
insert_header "${TARGET}/etc/systemd/system.conf.d/99-ciss-core.conf"
|
insert_header "${var_target}/etc/systemd/system.conf.d/99-ciss-core.conf"
|
||||||
insert_comments "${TARGET}/etc/systemd/system.conf.d/99-ciss-core.conf"
|
insert_comments "${var_target}/etc/systemd/system.conf.d/99-ciss-core.conf"
|
||||||
cat << 'EOF' >> "${TARGET}/etc/systemd/system.conf.d/99-ciss-core.conf"
|
cat << 'EOF' >> "${var_target}/etc/systemd/system.conf.d/99-ciss-core.conf"
|
||||||
[Manager]
|
[Manager]
|
||||||
DefaultLimitCORE=0
|
DefaultLimitCORE=0
|
||||||
|
|
||||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
|
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
guard_pam_limits
|
### Unified in 4520()
|
||||||
|
# - write_pam_login()
|
||||||
|
# - write_pam_sshd()
|
||||||
|
# - write_pam_su()
|
||||||
|
# - write_pam_sudo()
|
||||||
|
# - write_pam_sudo-i()
|
||||||
|
# guard_pam_limits
|
||||||
|
|
||||||
guard_dir && return 0
|
guard_dir && return 0
|
||||||
}
|
}
|
||||||
@@ -111,7 +122,9 @@ readonly -f hardening_memory
|
|||||||
# '/etc/pam.d/common-session'
|
# '/etc/pam.d/common-session'
|
||||||
# '/etc/pam.d/common-session-noninteractive'
|
# '/etc/pam.d/common-session-noninteractive'
|
||||||
# Globals:
|
# Globals:
|
||||||
|
# RECOVERY
|
||||||
# TARGET
|
# TARGET
|
||||||
|
# VAR_RUN_RECOVERY
|
||||||
# Arguments:
|
# Arguments:
|
||||||
# None
|
# None
|
||||||
# Returns:
|
# Returns:
|
||||||
@@ -119,8 +132,13 @@ readonly -f hardening_memory
|
|||||||
#######################################
|
#######################################
|
||||||
guard_pam_limits() {
|
guard_pam_limits() {
|
||||||
### Declare Arrays, HashMaps, and Variables.
|
### Declare Arrays, HashMaps, and Variables.
|
||||||
declare var_file_0="${TARGET}/etc/pam.d/common-session"
|
declare var_target="${TARGET}"
|
||||||
declare var_file_1="${TARGET}/etc/pam.d/common-session-noninteractive"
|
|
||||||
|
### Check for TARGET / RECOVERY.
|
||||||
|
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
|
||||||
|
|
||||||
|
declare var_file_0="${var_target}/etc/pam.d/common-session"
|
||||||
|
declare var_file_1="${var_target}/etc/pam.d/common-session-noninteractive"
|
||||||
declare var_line='session required pam_limits.so' var_file=""
|
declare var_line='session required pam_limits.so' var_file=""
|
||||||
declare -i var_changed=0
|
declare -i var_changed=0
|
||||||
|
|
||||||
|
|||||||
@@ -47,7 +47,7 @@ accounts_hardening() {
|
|||||||
install -d -m 0755 -o root -g root "${var_target}/etc/ciss"
|
install -d -m 0755 -o root -g root "${var_target}/etc/ciss"
|
||||||
insert_header "${var_target}/etc/ciss/2fa.map"
|
insert_header "${var_target}/etc/ciss/2fa.map"
|
||||||
insert_comments "${var_target}/etc/ciss/2fa.map"
|
insert_comments "${var_target}/etc/ciss/2fa.map"
|
||||||
chmod 0600 "${var_target}/etc/ciss/2fa.map"
|
chmod 0644 "${var_target}/etc/ciss/2fa.map"
|
||||||
|
|
||||||
### Keep 'tty1' active, disable the rest.
|
### Keep 'tty1' active, disable the rest.
|
||||||
# shellcheck disable=SC2016
|
# shellcheck disable=SC2016
|
||||||
|
|||||||
@@ -361,6 +361,7 @@ EOF
|
|||||||
|
|
||||||
chroot_script "${TARGET}" "
|
chroot_script "${TARGET}" "
|
||||||
export INITRD=No
|
export INITRD=No
|
||||||
|
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
|
||||||
apt-get install -y --no-install-recommends --no-install-suggests aide aide-common 2>&1 | tee -a ${var_logfile}
|
apt-get install -y --no-install-recommends --no-install-suggests aide aide-common 2>&1 | tee -a ${var_logfile}
|
||||||
|
|
||||||
sed -i 's/Checksums = H/Checksums = sha512/' /etc/aide/aide.conf
|
sed -i 's/Checksums = H/Checksums = sha512/' /etc/aide/aide.conf
|
||||||
@@ -369,17 +370,24 @@ EOF
|
|||||||
|
|
||||||
chroot_script "${TARGET}" "
|
chroot_script "${TARGET}" "
|
||||||
export INITRD=No
|
export INITRD=No
|
||||||
|
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
|
||||||
apt-get install -y --no-install-recommends --no-install-suggests debsums 2>&1 | tee -a ${var_logfile}
|
apt-get install -y --no-install-recommends --no-install-suggests debsums 2>&1 | tee -a ${var_logfile}
|
||||||
|
|
||||||
if ! debsums -g >> ${var_logfile} 2>> ${var_logfile}; then
|
if ! debsums -g >> ${var_logfile} 2>> ${var_logfile}; then
|
||||||
printf 'Running debsums -g - encountered errors.' >> ${var_logfile}
|
printf 'Running debsums -g - encountered errors.' >> ${var_logfile}
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
mkdir -p /root/.ciss/cdi/backup/etc/default
|
||||||
|
cp -a /etc/default/debsums /root/.ciss/cdi/backup/etc/default/debsums.bak
|
||||||
|
sed -i 's/CRON_CHECK=never/CRON_CHECK=monthly/' /etc/default/debsums
|
||||||
"
|
"
|
||||||
|
|
||||||
chroot_script "${TARGET}" "
|
chroot_script "${TARGET}" "
|
||||||
rkhunter --propupd 2>&1 | tee -a ${var_logfile}
|
rkhunter --propupd 2>&1 | tee -a ${var_logfile}
|
||||||
"
|
"
|
||||||
|
|
||||||
|
chroot_exec "${TARGET}" sed -i 's#^\(ENABLED=\).*#\1"true"#' /etc/default/sysstat
|
||||||
|
|
||||||
guard_dir && return 0
|
guard_dir && return 0
|
||||||
}
|
}
|
||||||
### Prevents accidental 'unset -f'.
|
### Prevents accidental 'unset -f'.
|
||||||
|
|||||||
@@ -82,6 +82,7 @@ TTYPERM 0600
|
|||||||
#
|
#
|
||||||
ERASECHAR 0177
|
ERASECHAR 0177
|
||||||
KILLCHAR 025
|
KILLCHAR 025
|
||||||
|
UMASK 0077
|
||||||
|
|
||||||
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
|
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
|
||||||
# home directories.
|
# home directories.
|
||||||
@@ -95,7 +96,7 @@ HOME_MODE 0700
|
|||||||
# PASS_WARN_AGE Number of days warning given before a password expires.
|
# PASS_WARN_AGE Number of days warning given before a password expires.
|
||||||
#
|
#
|
||||||
PASS_MAX_DAYS 16384
|
PASS_MAX_DAYS 16384
|
||||||
PASS_MIN_DAYS 0
|
PASS_MIN_DAYS 1
|
||||||
PASS_WARN_AGE 128
|
PASS_WARN_AGE 128
|
||||||
|
|
||||||
#
|
#
|
||||||
@@ -159,6 +160,8 @@ CHFN_RESTRICT rwh
|
|||||||
# the PAM modules configuration.
|
# the PAM modules configuration.
|
||||||
#
|
#
|
||||||
ENCRYPT_METHOD YESCRYPT
|
ENCRYPT_METHOD YESCRYPT
|
||||||
|
SHA_CRYPT_MIN_ROUNDS 8388608
|
||||||
|
SHA_CRYPT_MAX_ROUNDS 8388608
|
||||||
|
|
||||||
#
|
#
|
||||||
# Should login be allowed if we can't cd to the home directory?
|
# Should login be allowed if we can't cd to the home directory?
|
||||||
|
|||||||
@@ -13,6 +13,7 @@
|
|||||||
: "${XDG_CACHE_HOME:=${HOME}/.cache}"
|
: "${XDG_CACHE_HOME:=${HOME}/.cache}"
|
||||||
: "${XDG_DATA_HOME:=${HOME}/.local/share}"
|
: "${XDG_DATA_HOME:=${HOME}/.local/share}"
|
||||||
: "${XDG_STATE_HOME:=${HOME}/.local/state}"
|
: "${XDG_STATE_HOME:=${HOME}/.local/state}"
|
||||||
|
|
||||||
# Do NOT set XDG_RUNTIME_DIR here.
|
# Do NOT set XDG_RUNTIME_DIR here.
|
||||||
|
|
||||||
export XDG_CONFIG_HOME XDG_CACHE_HOME XDG_DATA_HOME XDG_STATE_HOME
|
export XDG_CONFIG_HOME XDG_CACHE_HOME XDG_DATA_HOME XDG_STATE_HOME
|
||||||
|
|||||||
Reference in New Issue
Block a user