V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_4400_hardening/4420_hardening_fail2ban.sh

@@ -220,7 +220,7 @@ bantime.overalljails  = true
 bantime.rndtime       = 877s
 filter                = sshd
 findtime              = 16m
-mode                  = aggressive
+mode                  = normal
 port                  = ${VAR_SSH_PORT}
 protocol              = tcp
 maxretry              = 4

func/cdi_4500_user/4520_accounts_setup.sh

@@ -402,6 +402,8 @@ EOF
 
       [[ "${var_2fa_tty}" == "true" ]] && write_ciss_2fa_user "${var_username}" "login" "on" "${var_target}"
 
+      write_ciss_2fa_user "${var_username}" "su" "on" "${var_target}"
+
       write_ciss_2fa_user "${var_username}" "sudo" "on" "${var_target}"
 
     fi
@@ -748,12 +750,9 @@ write_ciss_2fa_user() {
   declare -r  var_ciss_2fa_map="${var_target}/etc/ciss/2fa.map"
   declare -r  var_map_file="${var_ciss_2fa_map}"
   declare -r  var_tmp_file="${var_map_file}.tmp.$$"
-  declare -r  var_umask=$(umask)
   declare -i  col_idx="" found="0" status=""
   declare     line=""
 
-  umask 0077
-
   # shellcheck disable=SC2249
   case "${var_s,,}" in
     on|1|yes|true)  status="1" ;;
@@ -846,11 +845,10 @@ write_ciss_2fa_user() {
   if [[ -e "${var_tmp_file}" ]]; then
 
     mv -f -- "${var_tmp_file}" "${var_map_file}" || rm -f -- "${var_tmp_file}"
+    chmod 0644 "${var_map_file}"
 
   fi
 
-  umask "${var_umask}"
-
   return 0
 }
 ### Prevents accidental 'unset -f'.

includes/target/etc/login.defs

@@ -82,7 +82,7 @@ TTYPERM		0600
 #
 ERASECHAR	0177
 KILLCHAR	025
-UMASK 0077
+UMASK 077
 
 # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
 # home directories.

var/global.var.sh

@@ -12,6 +12,8 @@
 
 guard_sourcing
 
+[[ -f /root/ciss-debian-live-builder.env ]] && . /root/ciss-debian-live-builder.env
+
 ### Definition of MUST set global variables.
 # shellcheck disable=SC2155
 declare -grx VAR_KERNEL_INF=$(mktemp var_kernel_inf.XXXXXXXX)