msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-10-22 08:43:32 +01:00
parent 4bd51c93ed
commit a4f7c83ba2
3 changed files with 428 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
func/cdi_4400_hardening/4442_hardening_jitterentropy.sh
View File

@@ -34,7 +34,7 @@ hardening_jitterentropy() {
cat << EOF >> "${var_target}/etc/systemd/system/jitterentropy-rngd.service.d/override.conf"
[Service]
ExecStart=
ExecStart=/usr/sbin/jitterentropy-rngd --sp800-90b --osr=7
ExecStart=/usr/sbin/jitterentropy-rngd --osr=2
EOF
guard_dir && return 0

71
func/cdi_4600_packages/4620_installation_verification.sh
View File

@@ -59,13 +59,16 @@ install_verification() {
-D
## Increase the buffers to survive stress events.
## Make this bigger for busy systems
## Make this bigger for busy systems.
-b 16384
## This determine how long to wait in burst of events
## Rate Limit. Cap kernel->userspace message rate (0 = unlimited).
-r 200
## This determine how long to wait in burst of events. How long to wait in bursts (µs).
--backlog_wait_time 1024
## Set failure mode to syslog
## Set failure mode to syslog.
-f 1
EOF
@@ -109,6 +112,17 @@ EOF
## This rule suppresses the time-change event when chrony does time updates
-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=_chrony
-a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=_chrony
EOF
############################################################### /etc/audit/rules.d/25-ciss-exec.rules
cat << EOF >| "${TARGET}/etc/audit/rules.d/25-ciss-exec.rules"
## Focus on privileged exec, not every user command
-a always,exit -F arch=b64 -S execve -F euid=0 -k exec_root
-a always,exit -F arch=b32 -S execve -F euid=0 -k exec_root
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/sudo -k exec_sudo
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/sudo -k exec_sudo
-a always,exit -F arch=b64 -S execve -C uid!=euid -k exec_suid_sgid
-a always,exit -F arch=b32 -S execve -C uid!=euid -k exec_suid_sgid
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
@@ -126,17 +140,6 @@ EOF
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-1-create-success.rules"
## Successful file creation (open with O_CREAT)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
@@ -154,17 +157,6 @@ EOF
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-2-modify-success.rules"
## Successful file modifications (open for write or truncate)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
@@ -174,14 +166,6 @@ EOF
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-3-access-success.rules"
## Successful file access (any other opens) This has to go last.
## These next two are likely to result in a whole lot of events
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
@@ -191,13 +175,6 @@ EOF
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-4-delete-success.rules"
## Successful file delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
@@ -207,13 +184,6 @@ EOF
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules"
## Successful permission change
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
@@ -223,13 +193,6 @@ EOF
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules"
## Successful ownership change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42.rules