V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m51s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m51s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -851,11 +851,11 @@ user:
|
||||
sshpubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY"
|
||||
authentication:
|
||||
access:
|
||||
ssh: true # Allow SSH access.
|
||||
tty: true # Allow TTY (local console) login.
|
||||
ssh: false # Allow SSH access.
|
||||
tty: false # Allow TTY (local console) login.
|
||||
password: true # Allow password login. SSH password login is always disabled.
|
||||
2fa:
|
||||
ssh: false # Require 2FA for SSH access.
|
||||
ssh: true # Require 2FA for SSH access.
|
||||
tty: true # Require 2FA for TTY (local console) login.
|
||||
privileges:
|
||||
description: "Root user with full system access and administrative privileges."
|
||||
|
||||
@@ -144,7 +144,7 @@ bantime.maxtime = 16d
|
||||
bantime.multipliers = 1 2 4 8 16 32 64 128 256 384
|
||||
bantime.overalljails = true
|
||||
bantime.rndtime = 877s
|
||||
filter = ciss.icmp
|
||||
filter = ciss-icmp
|
||||
findtime = 16m
|
||||
logpath = /var/log/ufw.log
|
||||
maxretry = 1
|
||||
@@ -159,7 +159,7 @@ bantime.maxtime = 16d
|
||||
bantime.multipliers = 1 2 4 8 16 32 64 128 256 384
|
||||
bantime.overalljails = true
|
||||
bantime.rndtime = 877s
|
||||
filter = ciss.ufw
|
||||
filter = ciss-ufw
|
||||
findtime = 16m
|
||||
logpath = /var/log/ufw.log
|
||||
maxretry = 1
|
||||
@@ -242,7 +242,7 @@ bantime.maxtime = 16d
|
||||
bantime.multipliers = 1 2 4 8 16 32 64 128 256 384
|
||||
bantime.overalljails = true
|
||||
bantime.rndtime = 877s
|
||||
filter = ciss.icmp
|
||||
filter = ciss-icmp
|
||||
findtime = 16m
|
||||
logpath = /var/log/ufw.log
|
||||
maxretry = 3
|
||||
@@ -257,7 +257,7 @@ bantime.maxtime = 16d
|
||||
bantime.multipliers = 1 2 4 8 16 32 64 128 256 384
|
||||
bantime.overalljails = true
|
||||
bantime.rndtime = 877s
|
||||
filter = ciss.ufw
|
||||
filter = ciss-ufw
|
||||
findtime = 16m
|
||||
logpath = /var/log/ufw.log
|
||||
maxretry = 3
|
||||
@@ -274,9 +274,9 @@ EOF
|
||||
|
||||
fi
|
||||
|
||||
insert_header "${var_target}/etc/fail2ban/filter.d/ciss.icmp.conf"
|
||||
insert_comments "${var_target}/etc/fail2ban/filter.d/ciss.icmp.conf"
|
||||
cat << EOF >> "${var_target}/etc/fail2ban/filter.d/ciss.icmp.conf"
|
||||
insert_header "${var_target}/etc/fail2ban/filter.d/ciss-icmp.conf"
|
||||
insert_comments "${var_target}/etc/fail2ban/filter.d/ciss-icmp.conf"
|
||||
cat << EOF >> "${var_target}/etc/fail2ban/filter.d/ciss-icmp.conf"
|
||||
[Definition]
|
||||
# Generic ICMP/ICMPv6 blocks
|
||||
failregex = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?\bPROTO=ICMP\b.*$
|
||||
@@ -285,9 +285,9 @@ failregex = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?\bPROTO=ICMP\
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
|
||||
EOF
|
||||
|
||||
insert_header "${var_target}/etc/fail2ban/filter.d/ciss.ufw.conf"
|
||||
insert_comments "${var_target}/etc/fail2ban/filter.d/ciss.ufw.conf"
|
||||
cat << EOF >> "${var_target}/etc/fail2ban/filter.d/ciss.ufw.conf"
|
||||
insert_header "${var_target}/etc/fail2ban/filter.d/ciss-ufw.conf"
|
||||
insert_comments "${var_target}/etc/fail2ban/filter.d/ciss-ufw.conf"
|
||||
cat << EOF >> "${var_target}/etc/fail2ban/filter.d/ciss-ufw.conf"
|
||||
[Definition]
|
||||
# Match UFW BLOCK/REJECT with a source IP and *any* port field (SPT or DPT), protocol may be missing.
|
||||
failregex = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?(?:\bDPT=\d+\b|\bSPT=\d+\b).*$
|
||||
|
||||
@@ -43,22 +43,27 @@ guard_sourcing
|
||||
# '/etc/pam.d/common-session'
|
||||
# '/etc/pam.d/common-session-noninteractive'
|
||||
# Globals:
|
||||
# RECOVERY
|
||||
# TARGET
|
||||
# VAR_ARCHITECTURE
|
||||
# VAR_CODENAME
|
||||
# VAR_VERSION
|
||||
# VAR_RUN_RECOVERY
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
# 0: on success
|
||||
#######################################
|
||||
hardening_memory() {
|
||||
mkdir -p "${TARGET}/etc/systemd/coredump.conf.d"
|
||||
mkdir -p "${TARGET}/etc/systemd/system.conf.d"
|
||||
### Declare Arrays, HashMaps, and Variables.
|
||||
declare var_target="${TARGET}"
|
||||
|
||||
insert_header "${TARGET}/etc/security/limits.d/99-ciss-core.conf"
|
||||
insert_comments "${TARGET}/etc/security/limits.d/99-ciss-core.conf"
|
||||
cat << 'EOF' >> "${TARGET}/etc/security/limits.d/99-ciss-core.conf"
|
||||
### Check for TARGET / RECOVERY.
|
||||
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
|
||||
|
||||
mkdir -p "${var_target}/etc/systemd/coredump.conf.d"
|
||||
mkdir -p "${var_target}/etc/systemd/system.conf.d"
|
||||
|
||||
insert_header "${var_target}/etc/security/limits.d/99-ciss-core.conf"
|
||||
insert_comments "${var_target}/etc/security/limits.d/99-ciss-core.conf"
|
||||
cat << 'EOF' >> "${var_target}/etc/security/limits.d/99-ciss-core.conf"
|
||||
# Enforce: no core dumps for all logins by default.
|
||||
# Format: <domain> <type> <item> <value>
|
||||
* hard core 0
|
||||
@@ -70,9 +75,9 @@ root soft core 0
|
||||
EOF
|
||||
|
||||
|
||||
insert_header "${TARGET}/etc/systemd/coredump.conf.d/disable.conf"
|
||||
insert_comments "${TARGET}/etc/systemd/coredump.conf.d/disable.conf"
|
||||
cat << 'EOF' >> "${TARGET}/etc/systemd/coredump.conf.d/disable.conf"
|
||||
insert_header "${var_target}/etc/systemd/coredump.conf.d/disable.conf"
|
||||
insert_comments "${var_target}/etc/systemd/coredump.conf.d/disable.conf"
|
||||
cat << 'EOF' >> "${var_target}/etc/systemd/coredump.conf.d/disable.conf"
|
||||
### Do not store core images anywhere, keep the at most minimal metadata.
|
||||
|
||||
[Coredump]
|
||||
@@ -85,20 +90,26 @@ JournalSizeMax=0
|
||||
EOF
|
||||
|
||||
|
||||
[[ -f "${TARGET}/etc/systemd/system.conf.d/10-coredump-debian.conf" ]] && \
|
||||
mv "${TARGET}/etc/systemd/system.conf.d/10-coredump-debian.conf" "${TARGET}/etc/systemd/system.conf.d/10-coredump-debian.conf.bak"
|
||||
[[ -f "${var_target}/etc/systemd/system.conf.d/10-coredump-debian.conf" ]] && \
|
||||
mv "${var_target}/etc/systemd/system.conf.d/10-coredump-debian.conf" "${var_target}/etc/systemd/system.conf.d/10-coredump-debian.conf.bak"
|
||||
|
||||
|
||||
insert_header "${TARGET}/etc/systemd/system.conf.d/99-ciss-core.conf"
|
||||
insert_comments "${TARGET}/etc/systemd/system.conf.d/99-ciss-core.conf"
|
||||
cat << 'EOF' >> "${TARGET}/etc/systemd/system.conf.d/99-ciss-core.conf"
|
||||
insert_header "${var_target}/etc/systemd/system.conf.d/99-ciss-core.conf"
|
||||
insert_comments "${var_target}/etc/systemd/system.conf.d/99-ciss-core.conf"
|
||||
cat << 'EOF' >> "${var_target}/etc/systemd/system.conf.d/99-ciss-core.conf"
|
||||
[Manager]
|
||||
DefaultLimitCORE=0
|
||||
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
|
||||
EOF
|
||||
|
||||
guard_pam_limits
|
||||
### Unified in 4520()
|
||||
# - write_pam_login()
|
||||
# - write_pam_sshd()
|
||||
# - write_pam_su()
|
||||
# - write_pam_sudo()
|
||||
# - write_pam_sudo-i()
|
||||
# guard_pam_limits
|
||||
|
||||
guard_dir && return 0
|
||||
}
|
||||
@@ -111,7 +122,9 @@ readonly -f hardening_memory
|
||||
# '/etc/pam.d/common-session'
|
||||
# '/etc/pam.d/common-session-noninteractive'
|
||||
# Globals:
|
||||
# RECOVERY
|
||||
# TARGET
|
||||
# VAR_RUN_RECOVERY
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
@@ -119,8 +132,13 @@ readonly -f hardening_memory
|
||||
#######################################
|
||||
guard_pam_limits() {
|
||||
### Declare Arrays, HashMaps, and Variables.
|
||||
declare var_file_0="${TARGET}/etc/pam.d/common-session"
|
||||
declare var_file_1="${TARGET}/etc/pam.d/common-session-noninteractive"
|
||||
declare var_target="${TARGET}"
|
||||
|
||||
### Check for TARGET / RECOVERY.
|
||||
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
|
||||
|
||||
declare var_file_0="${var_target}/etc/pam.d/common-session"
|
||||
declare var_file_1="${var_target}/etc/pam.d/common-session-noninteractive"
|
||||
declare var_line='session required pam_limits.so' var_file=""
|
||||
declare -i var_changed=0
|
||||
|
||||
|
||||
@@ -47,7 +47,7 @@ accounts_hardening() {
|
||||
install -d -m 0755 -o root -g root "${var_target}/etc/ciss"
|
||||
insert_header "${var_target}/etc/ciss/2fa.map"
|
||||
insert_comments "${var_target}/etc/ciss/2fa.map"
|
||||
chmod 0600 "${var_target}/etc/ciss/2fa.map"
|
||||
chmod 0644 "${var_target}/etc/ciss/2fa.map"
|
||||
|
||||
### Keep 'tty1' active, disable the rest.
|
||||
# shellcheck disable=SC2016
|
||||
|
||||
@@ -361,6 +361,7 @@ EOF
|
||||
|
||||
chroot_script "${TARGET}" "
|
||||
export INITRD=No
|
||||
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
|
||||
apt-get install -y --no-install-recommends --no-install-suggests aide aide-common 2>&1 | tee -a ${var_logfile}
|
||||
|
||||
sed -i 's/Checksums = H/Checksums = sha512/' /etc/aide/aide.conf
|
||||
@@ -369,17 +370,24 @@ EOF
|
||||
|
||||
chroot_script "${TARGET}" "
|
||||
export INITRD=No
|
||||
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
|
||||
apt-get install -y --no-install-recommends --no-install-suggests debsums 2>&1 | tee -a ${var_logfile}
|
||||
|
||||
if ! debsums -g >> ${var_logfile} 2>> ${var_logfile}; then
|
||||
printf 'Running debsums -g - encountered errors.' >> ${var_logfile}
|
||||
fi
|
||||
|
||||
mkdir -p /root/.ciss/cdi/backup/etc/default
|
||||
cp -a /etc/default/debsums /root/.ciss/cdi/backup/etc/default/debsums.bak
|
||||
sed -i 's/CRON_CHECK=never/CRON_CHECK=monthly/' /etc/default/debsums
|
||||
"
|
||||
|
||||
chroot_script "${TARGET}" "
|
||||
rkhunter --propupd 2>&1 | tee -a ${var_logfile}
|
||||
"
|
||||
|
||||
chroot_exec "${TARGET}" sed -i 's#^\(ENABLED=\).*#\1"true"#' /etc/default/sysstat
|
||||
|
||||
guard_dir && return 0
|
||||
}
|
||||
### Prevents accidental 'unset -f'.
|
||||
|
||||
@@ -82,6 +82,7 @@ TTYPERM 0600
|
||||
#
|
||||
ERASECHAR 0177
|
||||
KILLCHAR 025
|
||||
UMASK 0077
|
||||
|
||||
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
|
||||
# home directories.
|
||||
@@ -95,7 +96,7 @@ HOME_MODE 0700
|
||||
# PASS_WARN_AGE Number of days warning given before a password expires.
|
||||
#
|
||||
PASS_MAX_DAYS 16384
|
||||
PASS_MIN_DAYS 0
|
||||
PASS_MIN_DAYS 1
|
||||
PASS_WARN_AGE 128
|
||||
|
||||
#
|
||||
@@ -159,6 +160,8 @@ CHFN_RESTRICT rwh
|
||||
# the PAM modules configuration.
|
||||
#
|
||||
ENCRYPT_METHOD YESCRYPT
|
||||
SHA_CRYPT_MIN_ROUNDS 8388608
|
||||
SHA_CRYPT_MAX_ROUNDS 8388608
|
||||
|
||||
#
|
||||
# Should login be allowed if we can't cd to the home directory?
|
||||
|
||||
@@ -13,6 +13,7 @@
|
||||
: "${XDG_CACHE_HOME:=${HOME}/.cache}"
|
||||
: "${XDG_DATA_HOME:=${HOME}/.local/share}"
|
||||
: "${XDG_STATE_HOME:=${HOME}/.local/state}"
|
||||
|
||||
# Do NOT set XDG_RUNTIME_DIR here.
|
||||
|
||||
export XDG_CONFIG_HOME XDG_CACHE_HOME XDG_DATA_HOME XDG_STATE_HOME
|
||||
|
||||
Reference in New Issue
Block a user