V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 54s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 54s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -53,14 +53,14 @@ accounts_setup() {
|
||||
### 1) Prepare the 'root' account.
|
||||
install -d -m 0700 -o root -g root "${TARGET}/root/.ssh"
|
||||
install -m 0600 -o root -g root /dev/null "${TARGET}/root/.ssh/authorized_keys"
|
||||
install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.bashrc" "${TARGET}/root/"
|
||||
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.bashrc" "${TARGET}/root/"
|
||||
|
||||
if [[ "${user_root_shell}" == "/bin/zsh" ]]; then
|
||||
|
||||
if [[ -x "${TARGET}${user_root_shell}" ]]; then
|
||||
|
||||
chroot_exec "${TARGET}" chsh -s "${user_root_shell}" root
|
||||
install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${TARGET}/root/"
|
||||
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${TARGET}/root/"
|
||||
do_log "info" "file_only" "4520() Shell: '${user_root_shell}' used for: 'root'."
|
||||
|
||||
else
|
||||
@@ -71,9 +71,9 @@ accounts_setup() {
|
||||
fi
|
||||
|
||||
fi
|
||||
install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/alias" "${TARGET}/root/.ciss/"
|
||||
install -D -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/clean_logout.sh" "${TARGET}/root/.ciss/"
|
||||
install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/shortcuts" "${TARGET}/root/.ciss/"
|
||||
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/alias" "${TARGET}/root/.ciss/"
|
||||
install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/clean_logout.sh" "${TARGET}/root/.ciss/"
|
||||
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/shortcuts" "${TARGET}/root/.ciss/"
|
||||
|
||||
### To be able to copy/paste from vim, one needs to create a '.vimrc' with the following content:
|
||||
echo 'set clipboard=unnamed' >| "${TARGET}/root/.vimrc"
|
||||
@@ -202,16 +202,17 @@ EOF
|
||||
var_shell="${!tmp_shell}"
|
||||
var_password="${!tmp_password}"
|
||||
var_sshpubkey="${!tmp_sshpubkey}"
|
||||
var_access_tty"${!tmp_access_tty}"
|
||||
var_auth_pwd"${!tmp_auth_pwd}"
|
||||
var_2fa_ssh"${!tmp_2fa_ssh}"
|
||||
var_2fa_tty"${!tmp_2fa_tty}"
|
||||
var_access_tty="${!tmp_access_tty}"
|
||||
var_auth_pwd="${!tmp_auth_pwd}"
|
||||
var_2fa_ssh="${!tmp_2fa_ssh}"
|
||||
var_2fa_tty="${!tmp_2fa_tty}"
|
||||
var_sudo="${!tmp_sudo}"
|
||||
var_restricted="${!tmp_restricted}"
|
||||
|
||||
### 0) A) Check if the 'group' of the 'user' already exists.
|
||||
chroot_exec "${TARGET}" getent group "${var_username}" >/dev/null || \
|
||||
if ! chroot_exec "${TARGET}" getent group "${var_username}" >/dev/null; then
|
||||
chroot_exec "${TARGET}" groupadd --gid "${var_gid}" "${var_username}"
|
||||
fi
|
||||
|
||||
### 0) B) Generates the user account.
|
||||
### If the 'user' is not restricted in scope, then generate the account accordingly, with a predefined expiry date.
|
||||
@@ -245,7 +246,7 @@ EOF
|
||||
### 1) Prepare the 'user' account.
|
||||
install -d -m 0700 -o "${var_uid}" -g "${var_gid}" "${TARGET}/home/${var_username}/.ssh"
|
||||
install -m 0600 -o "${var_uid}" -g "${var_gid}" /dev/null "${TARGET}/home/${var_username}/.ssh/authorized_keys"
|
||||
install -D -m 0600 -o "${var_uid}" -g "${var_gid}" "${VAR_SETUP_PATH}/includes/target/etc/skel/.bashrc" "${TARGET}/home/${var_username}/"
|
||||
install -m 0600 -o "${var_uid}" -g "${var_gid}" "${VAR_SETUP_PATH}/includes/target/etc/skel/.bashrc" "${TARGET}/home/${var_username}/"
|
||||
|
||||
if [[ "${var_shell}" == "/bin/zsh" ]]; then
|
||||
|
||||
@@ -352,9 +353,13 @@ EOF
|
||||
fi
|
||||
|
||||
unset VAR_TEMP_PLAIN_MFA_SEED
|
||||
printf "-: ALL:ALL \n" >> "${TARGET}/etc/security/access.conf"
|
||||
|
||||
if ! grep -qxF "-: ALL:ALL" "${TARGET}/etc/security/access.conf"; then
|
||||
printf "-: ALL:ALL \n" >> "${TARGET}/etc/security/access.conf"
|
||||
fi
|
||||
|
||||
printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${TARGET}/etc/security/access.conf"
|
||||
printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${TARGET}/etc/ssh/sshd_conf"
|
||||
printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${TARGET}/etc/ssh/sshd_config"
|
||||
|
||||
### Hardening of '/bin/su': only members of the group 'sudo' can su to root.
|
||||
hardening_su
|
||||
@@ -655,7 +660,7 @@ pam_access_totp_enable() {
|
||||
fi
|
||||
|
||||
### 1) Ensure a single CISS TOTP framework block is present in the PAM file.
|
||||
### The block gates GA by pam_listfile over /etc/ciss/2fa.users and uses nullok.
|
||||
### The block gates GA by pam_listfile over '/etc/ciss/2fa.users'.
|
||||
### We place it right after pam_unix.so or @include common-auth; fallback: append.
|
||||
if ! grep -q '^# CISS TOTP START$' "${var_pam_file}"; then
|
||||
awk -v START='# CISS TOTP START' -v END='# CISS TOTP END' '
|
||||
@@ -664,8 +669,8 @@ pam_access_totp_enable() {
|
||||
print
|
||||
if (!ins && ($0 ~ /^[[:space:]]*auth[[:space:]]+.*pam_unix\.so/ || $0 ~ /^[[:space:]]*@include[[:space:]]+common-auth/)) {
|
||||
print START
|
||||
print "auth [success=1 default=ignore] pam_listfile.so item=user sense=allow file=/etc/ciss/2fa.users onerr=ignore"
|
||||
print "auth required pam_google_authenticator.so nullok"
|
||||
print "auth [success=1 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa.users onerr=ignore"
|
||||
print "auth required pam_google_authenticator.so"
|
||||
print END
|
||||
ins=1
|
||||
}
|
||||
@@ -674,7 +679,7 @@ pam_access_totp_enable() {
|
||||
if (!ins) {
|
||||
print START
|
||||
print "auth [success=1 default=ignore] pam_listfile.so item=user sense=allow file=/etc/ciss/2fa.users onerr=ignore"
|
||||
print "auth required pam_google_authenticator.so nullok"
|
||||
print "auth required pam_google_authenticator.so"
|
||||
print END
|
||||
}
|
||||
}
|
||||
@@ -758,10 +763,10 @@ write_google_authenticator_file() {
|
||||
umask 0077
|
||||
{
|
||||
printf '%s\n' "${var_secret}"
|
||||
printf '"RATE_LIMIT 3 30"\n'
|
||||
printf '"WINDOW 10"\n'
|
||||
printf '"DISALLOW_REUSE"\n'
|
||||
printf '"TOTP_AUTH"\n'
|
||||
printf 'RATE_LIMIT 3 30 \n'
|
||||
printf 'WINDOW 10 \n'
|
||||
printf 'DISALLOW_REUSE \n'
|
||||
printf 'TOTP_AUTH \n'
|
||||
### Emergency Codes:
|
||||
for i in {0..7}; do printf '%08d\n' "$(( RANDOM % 100000000 ))"; done
|
||||
} >| "${var_base}/.google_authenticator"
|
||||
|
||||
Reference in New Issue
Block a user