V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-08-08 21:38:05 +02:00
parent f9ba15e1da
commit a9fab33829
19 changed files with 169 additions and 19 deletions
--- a/ciss_debian_installer.sh
+++ b/ciss_debian_installer.sh
@@ -305,6 +305,10 @@ echo "MAIN PROGRAM SEQUENCE: 4430_installation_skel.sh ..."
 installation_skel
 echo "MAIN PROGRAM SEQUENCE: 4440_hardening_files.sh ..."
 hardening_files
+echo "MAIN PROGRAM SEQUENCE: 4450_hardening_haveged.sh ..."
+hardening_haveged
+echo "MAIN PROGRAM SEQUENCE: 4460_hardening_memory.sh ..."
+hardening_memory

 ### CDI_4500
 echo "MAIN PROGRAM SEQUENCE: 4500_installation_accounts.sh ..."
--- a/func/cdi_1000_helper/1082_helper_modules.sh
+++ b/func/cdi_1000_helper/1082_helper_modules.sh
@@ -12,6 +12,24 @@

 guard_sourcing

+
+#######################################
+# Wrapper for preparing logfile inside chroot.
+# Globals:
+#   TARGET
+# Arguments:
+#   1: Logfile inside chroot
+# Returns:
+#   0: on success
+#   ERR_CHROOT_LOGGER
+#######################################
+chroot_logger() {
+  declare -r var_logfile="$1"
+  : >| "${TARGET}${var_logfile}" || return "${ERR_CHROOT_LOGGER}"
+  chmod 0600 "${TARGET}${var_logfile}" || "${ERR_CHROOT_LOGGER}"
+  return 0
+}
+
 #######################################
 # Helper Module to generate a Subnet Mask out of an IP in CCDIR Notation.
 # Arguments:
--- a/func/cdi_4100_base/4110_update_sources.sh
+++ b/func/cdi_4100_base/4110_update_sources.sh
@@ -29,7 +29,7 @@ update_sources() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -r  var_logfile="/root/.ciss/cdi/log/4110_update_sources.log"

-  touch "${TARGET}${var_logfile}" && chmod 0600 "${TARGET}${var_logfile}"
+  chroot_logger "${TARGET}${var_logfile}"

  ### Update generated sources.
  # shellcheck disable=SC2312
--- a/func/cdi_4100_base/4120_installation_kernel.sh
+++ b/func/cdi_4100_base/4120_installation_kernel.sh
@@ -30,7 +30,7 @@ installation_kernel() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -r  var_logfile="/root/.ciss/cdi/log/4120_installation_kernel.log"

-  touch "${TARGET}${var_logfile}" && chmod 0600 "${TARGET}${var_logfile}"
+  chroot_logger "${TARGET}${var_logfile}"

  if [[ -n "${VAR_KERNEL}" ]]; then

--- a/func/cdi_4100_base/4130_installation_toolset.sh
+++ b/func/cdi_4100_base/4130_installation_toolset.sh
@@ -101,7 +101,7 @@ installation_toolset() {
  declare -r  var_logfile="/root/.ciss/cdi/log/4130_installation_toolset.log"
  declare     var_bin=""

-  touch "${TARGET}${var_logfile}" && chmod 0600 "${TARGET}${var_logfile}"
+  chroot_logger "${TARGET}${var_logfile}"

  ### Collecting missing binaries.
  for var_bin in "${!hmp_tool_pkg[@]}"; do
--- a/func/cdi_4100_base/4131_installation_systemd.sh
+++ b/func/cdi_4100_base/4131_installation_systemd.sh
@@ -28,7 +28,7 @@ installation_systemd() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -r  var_logfile="/root/.ciss/cdi/log/4131_installation_systemd.log"

-  touch "${TARGET}${var_logfile}" && chmod 0600 "${TARGET}${var_logfile}"
+  chroot_logger "${TARGET}${var_logfile}"

  if ! do_in_target_script "${TARGET}" "type -P systemctl >/dev/null"; then
    do_log "info" "file_only" "4131() 'systemctl' NOT found, installing 'systemd' and dependencies."
--- a/func/cdi_4100_base/4140_installation_microcode.sh
+++ b/func/cdi_4100_base/4140_installation_microcode.sh
@@ -29,7 +29,7 @@ installation_microcode() {
  declare     var_microcode_pkgs="" var_whereiam="" var_cpu_vendor=""
  declare -r  var_logfile="/root/.ciss/cdi/log/4140_installation_microcode.log"

-  touch "${TARGET}${var_logfile}" && chmod 0600 "${TARGET}${var_logfile}"
+  chroot_logger "${TARGET}${var_logfile}"

  # shellcheck disable=SC2312
  if [[ -x "$(command -v virt-what)" ]]; then
--- a/func/cdi_4100_base/4150_installation_chrony.sh
+++ b/func/cdi_4100_base/4150_installation_chrony.sh
@@ -34,7 +34,7 @@ installation_chrony() {
  declare     var_of=$(mktemp var_of.XXXXXXXX) var_ntp_server=""
  declare -r  var_logfile="/root/.ciss/cdi/log/4150_installation_chrony.log"

-  touch "${TARGET}${var_logfile}" && chmod 0600 "${TARGET}${var_logfile}"
+  chroot_logger "${TARGET}${var_logfile}"

  for var_ntp_server in "${ARY_NTPSRVR[@]}"; do

--- a/func/cdi_4200_boot/4205_check_fstab.sh
+++ b/func/cdi_4200_boot/4205_check_fstab.sh
@@ -25,12 +25,27 @@ check_fstab() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -r  var_logfile="/root/.ciss/cdi/log/4205_check_fstab.log"

-  touch "${TARGET}${var_logfile}" && chmod 0600 "${TARGET}${var_logfile}"
+  chroot_logger "${TARGET}${var_logfile}"

+  # shellcheck disable=SC2016 # an Internal script is only evaluated in chroot.
  do_in_target_script "${TARGET}" '
    export INITRD=No
-    systemd-analyze verify /etc/fstab 2>&1 | tee -a '"${var_logfile}"'
-    echo ExitCode: $? >> '"${var_logfile}"'
+
+    if [[ ! -s /etc/fstab ]]; then
+      echo "ERROR: /etc/fstab missing or empty" >> '"${var_logfile}"'
+      exit 1
+    fi
+
+    {
+      findmnt --verify --verbose --tab-file /etc/fstab
+      ec=$?
+
+      echo "--- mount -fav -n (dry-run) ---"
+      mount -fav -n || true
+
+      echo "ExitCode(findmnt): ${ec}"
+      exit "${ec}"
+    } 2>&1 | tee -a '"${var_logfile}"'
  '

  guard_dir && return 0
--- a/func/cdi_4200_boot/4220_installation_cryptsetup.sh
+++ b/func/cdi_4200_boot/4220_installation_cryptsetup.sh
@@ -28,7 +28,7 @@ installation_cryptsetup() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -r  var_logfile="/root/.ciss/cdi/log/4220_installation_cryptsetup.log"

-  touch "${TARGET}${var_logfile}" && chmod 0600 "${TARGET}${var_logfile}"
+  chroot_logger "${TARGET}${var_logfile}"

  do_in_target_script "${TARGET}" '
    export INITRD=No
--- a/func/cdi_4200_boot/4230_installation_grub.sh
+++ b/func/cdi_4200_boot/4230_installation_grub.sh
@@ -53,7 +53,7 @@ installation_grub() {
  declare -r  var_logfile="/root/.ciss/cdi/log/4230_update_grub.log"
  declare     var_background=""

-  touch "${TARGET}${var_logfile}" && chmod 0600 "${TARGET}${var_logfile}"
+  chroot_logger "${TARGET}${var_logfile}"

  get_grub_modinfo_path

--- a/func/cdi_4300_network/4310_dropbear_build.sh
+++ b/func/cdi_4300_network/4310_dropbear_build.sh
@@ -34,7 +34,7 @@ dropbear_build() {
  declare     var_build_dir="${DIR_TMP}/build/dropbear-${var_dropbear_version}"
  declare -r  var_logfile="/root/.ciss/cdi/log/4310_dropbear_build.log"

-  touch "${TARGET}${var_logfile}" && chmod 0600 "${TARGET}${var_logfile}"
+  chroot_logger "${TARGET}${var_logfile}"

  apt-get install -y autoconf automake build-essential libtool libtomcrypt-dev libtommath-dev musl-tools

--- a/func/cdi_4300_network/4311_dropbear_initramfs.sh
+++ b/func/cdi_4300_network/4311_dropbear_initramfs.sh
@@ -27,7 +27,7 @@ dropbear_initramfs() {
  declare     var_file=""
  declare -r  var_logfile="/root/.ciss/cdi/log/4311_dropbear_initramfs.log"

-  touch "${TARGET}${var_logfile}" && chmod 0600 "${TARGET}${var_logfile}"
+  chroot_logger "${TARGET}${var_logfile}"

  do_in_target_script "${TARGET}" '
    export INITRD=No
--- a/func/cdi_4300_network/4320_update_initramfs.sh
+++ b/func/cdi_4300_network/4320_update_initramfs.sh
@@ -25,7 +25,7 @@ update_initramfs() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -r  var_logfile="/root/.ciss/cdi/log/4320_update_initramfs.log"

-  touch "${TARGET}${var_logfile}" && chmod 0600 "${TARGET}${var_logfile}"
+  chroot_logger "${TARGET}${var_logfile}"

  do_in_target_script "${TARGET}" "
      update-grub 2>&1 | tee -a ${var_logfile}
--- a/func/cdi_4400_hardening/4440_hardening_files.sh
+++ b/func/cdi_4400_hardening/4440_hardening_files.sh
@@ -12,7 +12,7 @@

 guard_sourcing

-###########################################################################################
+#######################################
 # Hardening files and directories.
 # Globals:
 #   None
@@ -20,8 +20,11 @@ guard_sourcing
 #   None
 # Returns:
 #   0: on success
-###########################################################################################
+#######################################
 hardening_files() {
+  chmod 0700 /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly
+  chmod 0700 /etc/sudoers.d
+  chmod 0700 /etc/crontab
  guard_dir && return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4400_hardening/4450_hardening_haveged.sh
+++ b/func/cdi_4400_hardening/4450_hardening_haveged.sh
@@ -12,16 +12,47 @@

 guard_sourcing

-###########################################################################################
+#######################################
 # Hardening haveged.
 # Globals:
-#   None
+#   TARGET
+#   VAR_ARCHITECTURE
+#   VAR_CODENAME
+#   VAR_VERSION
 # Arguments:
 #   None
 # Returns:
 #   0: on success
-###########################################################################################
+#######################################
 hardening_haveged() {
+  cat << EOF >| "${TARGET}/etc/default/haveged"
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Static file system information: /etc/default/haveged
+# Generated by CISS.debian.installer ${VAR_VERSION}
+# Architecture: ${VAR_ARCHITECTURE}
+# Distribution: ${VAR_CODENAME}
+
+# Configuration file for haveged
+# Minimal, sane defaults for server/headless systems.
+# -w <bits> : target entropy level in bits; 1024 ensures fast pool fill on boot
+# -v 1      : low verbosity (startup/shutdown only)
+# Options to pass to haveged:
+
+DAEMON_ARGS="-w 2048 -v 1"
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
  guard_dir && return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4400_hardening/4460_hardening_memory.sh
+++ b/func/cdi_4400_hardening/4460_hardening_memory.sh
@@ -0,0 +1,76 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Hardening memory dump.
+# Globals:
+#   TARGET
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+hardening_memory() {
+  mkdir -p "${TARGET}/etc/systemd/coredump.conf.d"
+
+  cat << EOF >| "${TARGET}/etc/systemd/coredump.conf.d/disable.conf"
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Static file system information: /etc/systemd/coredump.conf.d/disable.conf
+# Generated by CISS.debian.installer ${VAR_VERSION}
+# Architecture: ${VAR_ARCHITECTURE}
+# Distribution: ${VAR_CODENAME}
+
+[Coredump]
+Storage=none
+EOF
+
+  chmod 0644 "${TARGET}/etc/systemd/coredump.conf.d/disable.conf"
+
+  cat << EOF >| "${TARGET}/etc/security/limits.d/90-ciss-core.conf"
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Static file system information: /etc/security/limits.d/90-ciss-core.conf
+# Generated by CISS.debian.installer ${VAR_VERSION}
+# Architecture: ${VAR_ARCHITECTURE}
+# Distribution: ${VAR_CODENAME}
+
+# Format: <domain> <type> <item> <value>
+*	soft	core	0
+*	hard	core	0
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
+  chmod 0644 "${TARGET}/etc/security/limits.d/90-ciss-core.conf"
+
+  guard_dir && return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/meta_loader_func.sh
+++ b/meta_loader_func.sh
@@ -81,6 +81,8 @@ source_guard "./func/cdi_4400_hardening/4410_kernel_sysctl.sh"
 source_guard "./func/cdi_4400_hardening/4420_installation_ssh.sh"
 source_guard "./func/cdi_4400_hardening/4430_installation_skel.sh"
 source_guard "./func/cdi_4400_hardening/4440_hardening_files.sh"
+source_guard "./func/cdi_4400_hardening/4450_hardening_haveged.sh"
+source_guard "./func/cdi_4400_hardening/4460_hardening_memory.sh"

 ### cdi_4500_user
 source_guard "./func/cdi_4500_user/4500_installation_accounts.sh"
--- a/var/errors.var.sh
+++ b/var/errors.var.sh
@@ -53,6 +53,7 @@ declare -girx ERR_READ_PASS_FILE=220    # Error reading the password file.
 declare -girx ERR_GENERATE_SALT=219     # Error generating salt.
 declare -girx ERR_VAR_REGEX_CHK=218     # Error checking VAR against REGEX.
 declare -girx ERR_CONF_VALIDATION=217   # Error checking the respective configuration files.
+declare -girx ERR_CHROOT_LOGGER=216     # An error occurred while preparing the inside chroot log file.

 ### Definition of error trap vars.
 declare -gx ERRCODE=""                  # = $?                   = $1 = ERRCODE