V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 54s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 54s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -61,6 +61,7 @@ accounts_hardening() {
|
|||||||
chmod 0600 "${TARGET}/etc/securetty" "${TARGET}/etc/security/access.conf"
|
chmod 0600 "${TARGET}/etc/securetty" "${TARGET}/etc/security/access.conf"
|
||||||
|
|
||||||
### Hardening '/etc/login.defs'.
|
### Hardening '/etc/login.defs'.
|
||||||
|
mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc"
|
||||||
mv "${TARGET}/etc/login.defs" "${TARGET}/root/.ciss/cdi/backup/etc/login.defs.bak"
|
mv "${TARGET}/etc/login.defs" "${TARGET}/root/.ciss/cdi/backup/etc/login.defs.bak"
|
||||||
insert_header "${TARGET}/etc/login.defs"
|
insert_header "${TARGET}/etc/login.defs"
|
||||||
insert_comments "${TARGET}/etc/login.defs"
|
insert_comments "${TARGET}/etc/login.defs"
|
||||||
|
|||||||
@@ -53,14 +53,14 @@ accounts_setup() {
|
|||||||
### 1) Prepare the 'root' account.
|
### 1) Prepare the 'root' account.
|
||||||
install -d -m 0700 -o root -g root "${TARGET}/root/.ssh"
|
install -d -m 0700 -o root -g root "${TARGET}/root/.ssh"
|
||||||
install -m 0600 -o root -g root /dev/null "${TARGET}/root/.ssh/authorized_keys"
|
install -m 0600 -o root -g root /dev/null "${TARGET}/root/.ssh/authorized_keys"
|
||||||
install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.bashrc" "${TARGET}/root/"
|
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.bashrc" "${TARGET}/root/"
|
||||||
|
|
||||||
if [[ "${user_root_shell}" == "/bin/zsh" ]]; then
|
if [[ "${user_root_shell}" == "/bin/zsh" ]]; then
|
||||||
|
|
||||||
if [[ -x "${TARGET}${user_root_shell}" ]]; then
|
if [[ -x "${TARGET}${user_root_shell}" ]]; then
|
||||||
|
|
||||||
chroot_exec "${TARGET}" chsh -s "${user_root_shell}" root
|
chroot_exec "${TARGET}" chsh -s "${user_root_shell}" root
|
||||||
install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${TARGET}/root/"
|
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${TARGET}/root/"
|
||||||
do_log "info" "file_only" "4520() Shell: '${user_root_shell}' used for: 'root'."
|
do_log "info" "file_only" "4520() Shell: '${user_root_shell}' used for: 'root'."
|
||||||
|
|
||||||
else
|
else
|
||||||
@@ -71,9 +71,9 @@ accounts_setup() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
fi
|
fi
|
||||||
install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/alias" "${TARGET}/root/.ciss/"
|
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/alias" "${TARGET}/root/.ciss/"
|
||||||
install -D -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/clean_logout.sh" "${TARGET}/root/.ciss/"
|
install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/clean_logout.sh" "${TARGET}/root/.ciss/"
|
||||||
install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/shortcuts" "${TARGET}/root/.ciss/"
|
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/shortcuts" "${TARGET}/root/.ciss/"
|
||||||
|
|
||||||
### To be able to copy/paste from vim, one needs to create a '.vimrc' with the following content:
|
### To be able to copy/paste from vim, one needs to create a '.vimrc' with the following content:
|
||||||
echo 'set clipboard=unnamed' >| "${TARGET}/root/.vimrc"
|
echo 'set clipboard=unnamed' >| "${TARGET}/root/.vimrc"
|
||||||
@@ -202,16 +202,17 @@ EOF
|
|||||||
var_shell="${!tmp_shell}"
|
var_shell="${!tmp_shell}"
|
||||||
var_password="${!tmp_password}"
|
var_password="${!tmp_password}"
|
||||||
var_sshpubkey="${!tmp_sshpubkey}"
|
var_sshpubkey="${!tmp_sshpubkey}"
|
||||||
var_access_tty"${!tmp_access_tty}"
|
var_access_tty="${!tmp_access_tty}"
|
||||||
var_auth_pwd"${!tmp_auth_pwd}"
|
var_auth_pwd="${!tmp_auth_pwd}"
|
||||||
var_2fa_ssh"${!tmp_2fa_ssh}"
|
var_2fa_ssh="${!tmp_2fa_ssh}"
|
||||||
var_2fa_tty"${!tmp_2fa_tty}"
|
var_2fa_tty="${!tmp_2fa_tty}"
|
||||||
var_sudo="${!tmp_sudo}"
|
var_sudo="${!tmp_sudo}"
|
||||||
var_restricted="${!tmp_restricted}"
|
var_restricted="${!tmp_restricted}"
|
||||||
|
|
||||||
### 0) A) Check if the 'group' of the 'user' already exists.
|
### 0) A) Check if the 'group' of the 'user' already exists.
|
||||||
chroot_exec "${TARGET}" getent group "${var_username}" >/dev/null || \
|
if ! chroot_exec "${TARGET}" getent group "${var_username}" >/dev/null; then
|
||||||
chroot_exec "${TARGET}" groupadd --gid "${var_gid}" "${var_username}"
|
chroot_exec "${TARGET}" groupadd --gid "${var_gid}" "${var_username}"
|
||||||
|
fi
|
||||||
|
|
||||||
### 0) B) Generates the user account.
|
### 0) B) Generates the user account.
|
||||||
### If the 'user' is not restricted in scope, then generate the account accordingly, with a predefined expiry date.
|
### If the 'user' is not restricted in scope, then generate the account accordingly, with a predefined expiry date.
|
||||||
@@ -245,7 +246,7 @@ EOF
|
|||||||
### 1) Prepare the 'user' account.
|
### 1) Prepare the 'user' account.
|
||||||
install -d -m 0700 -o "${var_uid}" -g "${var_gid}" "${TARGET}/home/${var_username}/.ssh"
|
install -d -m 0700 -o "${var_uid}" -g "${var_gid}" "${TARGET}/home/${var_username}/.ssh"
|
||||||
install -m 0600 -o "${var_uid}" -g "${var_gid}" /dev/null "${TARGET}/home/${var_username}/.ssh/authorized_keys"
|
install -m 0600 -o "${var_uid}" -g "${var_gid}" /dev/null "${TARGET}/home/${var_username}/.ssh/authorized_keys"
|
||||||
install -D -m 0600 -o "${var_uid}" -g "${var_gid}" "${VAR_SETUP_PATH}/includes/target/etc/skel/.bashrc" "${TARGET}/home/${var_username}/"
|
install -m 0600 -o "${var_uid}" -g "${var_gid}" "${VAR_SETUP_PATH}/includes/target/etc/skel/.bashrc" "${TARGET}/home/${var_username}/"
|
||||||
|
|
||||||
if [[ "${var_shell}" == "/bin/zsh" ]]; then
|
if [[ "${var_shell}" == "/bin/zsh" ]]; then
|
||||||
|
|
||||||
@@ -352,9 +353,13 @@ EOF
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
unset VAR_TEMP_PLAIN_MFA_SEED
|
unset VAR_TEMP_PLAIN_MFA_SEED
|
||||||
printf "-: ALL:ALL \n" >> "${TARGET}/etc/security/access.conf"
|
|
||||||
|
if ! grep -qxF "-: ALL:ALL" "${TARGET}/etc/security/access.conf"; then
|
||||||
|
printf "-: ALL:ALL \n" >> "${TARGET}/etc/security/access.conf"
|
||||||
|
fi
|
||||||
|
|
||||||
printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${TARGET}/etc/security/access.conf"
|
printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${TARGET}/etc/security/access.conf"
|
||||||
printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${TARGET}/etc/ssh/sshd_conf"
|
printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${TARGET}/etc/ssh/sshd_config"
|
||||||
|
|
||||||
### Hardening of '/bin/su': only members of the group 'sudo' can su to root.
|
### Hardening of '/bin/su': only members of the group 'sudo' can su to root.
|
||||||
hardening_su
|
hardening_su
|
||||||
@@ -655,7 +660,7 @@ pam_access_totp_enable() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
### 1) Ensure a single CISS TOTP framework block is present in the PAM file.
|
### 1) Ensure a single CISS TOTP framework block is present in the PAM file.
|
||||||
### The block gates GA by pam_listfile over /etc/ciss/2fa.users and uses nullok.
|
### The block gates GA by pam_listfile over '/etc/ciss/2fa.users'.
|
||||||
### We place it right after pam_unix.so or @include common-auth; fallback: append.
|
### We place it right after pam_unix.so or @include common-auth; fallback: append.
|
||||||
if ! grep -q '^# CISS TOTP START$' "${var_pam_file}"; then
|
if ! grep -q '^# CISS TOTP START$' "${var_pam_file}"; then
|
||||||
awk -v START='# CISS TOTP START' -v END='# CISS TOTP END' '
|
awk -v START='# CISS TOTP START' -v END='# CISS TOTP END' '
|
||||||
@@ -664,8 +669,8 @@ pam_access_totp_enable() {
|
|||||||
print
|
print
|
||||||
if (!ins && ($0 ~ /^[[:space:]]*auth[[:space:]]+.*pam_unix\.so/ || $0 ~ /^[[:space:]]*@include[[:space:]]+common-auth/)) {
|
if (!ins && ($0 ~ /^[[:space:]]*auth[[:space:]]+.*pam_unix\.so/ || $0 ~ /^[[:space:]]*@include[[:space:]]+common-auth/)) {
|
||||||
print START
|
print START
|
||||||
print "auth [success=1 default=ignore] pam_listfile.so item=user sense=allow file=/etc/ciss/2fa.users onerr=ignore"
|
print "auth [success=1 default=ignore] pam_listfile.so item=user sense=deny file=/etc/ciss/2fa.users onerr=ignore"
|
||||||
print "auth required pam_google_authenticator.so nullok"
|
print "auth required pam_google_authenticator.so"
|
||||||
print END
|
print END
|
||||||
ins=1
|
ins=1
|
||||||
}
|
}
|
||||||
@@ -674,7 +679,7 @@ pam_access_totp_enable() {
|
|||||||
if (!ins) {
|
if (!ins) {
|
||||||
print START
|
print START
|
||||||
print "auth [success=1 default=ignore] pam_listfile.so item=user sense=allow file=/etc/ciss/2fa.users onerr=ignore"
|
print "auth [success=1 default=ignore] pam_listfile.so item=user sense=allow file=/etc/ciss/2fa.users onerr=ignore"
|
||||||
print "auth required pam_google_authenticator.so nullok"
|
print "auth required pam_google_authenticator.so"
|
||||||
print END
|
print END
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -758,10 +763,10 @@ write_google_authenticator_file() {
|
|||||||
umask 0077
|
umask 0077
|
||||||
{
|
{
|
||||||
printf '%s\n' "${var_secret}"
|
printf '%s\n' "${var_secret}"
|
||||||
printf '"RATE_LIMIT 3 30"\n'
|
printf 'RATE_LIMIT 3 30 \n'
|
||||||
printf '"WINDOW 10"\n'
|
printf 'WINDOW 10 \n'
|
||||||
printf '"DISALLOW_REUSE"\n'
|
printf 'DISALLOW_REUSE \n'
|
||||||
printf '"TOTP_AUTH"\n'
|
printf 'TOTP_AUTH \n'
|
||||||
### Emergency Codes:
|
### Emergency Codes:
|
||||||
for i in {0..7}; do printf '%08d\n' "$(( RANDOM % 100000000 ))"; done
|
for i in {0..7}; do printf '%08d\n' "$(( RANDOM % 100000000 ))"; done
|
||||||
} >| "${var_base}/.google_authenticator"
|
} >| "${var_base}/.google_authenticator"
|
||||||
|
|||||||
Reference in New Issue
Block a user