msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m29s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-09-25 21:56:59 +01:00
parent 44a1f50bc9
commit b338569f14
8 changed files with 101 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
.preseed/preseed.yaml
View File

@@ -719,32 +719,29 @@ software:
# Installed by 4600_installation_packages.sh # Installed by 4600_installation_packages.sh
############################################################################################################################## ##############################################################################################################################
- bat - bat
- borgbackup
- borgbackup-doc
- dhcpdump
- dhcping
- dialog - dialog
- expect - expect
- htop - htop
- iftop - iftop
- locate - locate
- man-db - man-db
- manpages
- manpages-dev
- mdadm - mdadm
- mtr - mtr
- ncat - ncat
- rsnapshot
- rsync - rsync
- sysstat - sysstat
- unzip
- zip - zip
############################################################################################################################## ##############################################################################################################################
# diagnostics # backup and diagnostics
############################################################################################################################## ##############################################################################################################################
#- borgbackup
#- borgbackup-doc
#- dhcpdump
#- dhcping
#- knot-dnssecutils #- knot-dnssecutils
#- knot-dnsutils #- knot-dnsutils
#- nmap #- nmap
#- rsnapshot
#- spectre-meltdown-checker #- spectre-meltdown-checker
#- tshark #- tshark
############################################################################################################################## ##############################################################################################################################
@@ -758,6 +755,8 @@ software:
#- debootstrap #- debootstrap
#- linux-source #- linux-source
#- lld #- lld
#- manpages
#- manpages-dev
#- shellcheck #- shellcheck
#- ssl-cert #- ssl-cert
############################################################################################################################## ##############################################################################################################################

2
ciss_debian_installer.sh
View File

@@ -333,6 +333,8 @@ info_echo "4480_hardening_usb.sh"
hardening_usb hardening_usb
info_echo "4490_hardening_virus.sh" info_echo "4490_hardening_virus.sh"
hardening_virus hardening_virus
info_echo "4445_hardening_logrotate.sh"
hardening_logrotate
### CDI_4500 ### CDI_4500
info_echo "4500_accounts_preparation.sh" info_echo "4500_accounts_preparation.sh"

6
func/cdi_4200_boot/4250_update_grub_bootparameter.sh
View File

@@ -58,18 +58,18 @@ update_grub_bootparameter() {
if [[ "${VAR_SEC_FW}" == "apparmor" ]]; then if [[ "${VAR_SEC_FW}" == "apparmor" ]]; then
VV_GRUB_CMDLINE_LINUX="${VV_GRUB_CMDLINE_LINUX} apparmor=1 security=apparmor lsm=lockdown,yama,integrity,apparmor,bpf" VV_GRUB_CMDLINE_LINUX="${VV_GRUB_CMDLINE_LINUX:+${VV_GRUB_CMDLINE_LINUX} }apparmor=1 security=apparmor lsm=lockdown,yama,integrity,apparmor,bpf"
elif [[ "${VAR_SEC_FW}" == "selinux" ]]; then elif [[ "${VAR_SEC_FW}" == "selinux" ]]; then
### We start in permissive mode first, so we don't pass 'enforcing=1' through the command line. ### We start in permissive mode first, so we don't pass 'enforcing=1' through the command line.
VV_GRUB_CMDLINE_LINUX="${VV_GRUB_CMDLINE_LINUX} selinux=1 security=selinux" VV_GRUB_CMDLINE_LINUX="${VV_GRUB_CMDLINE_LINUX:+${VV_GRUB_CMDLINE_LINUX} }selinux=1 security=selinux"
fi fi
if [[ "${VAR_DROPBEAR}" == "true" ]]; then if [[ "${VAR_DROPBEAR}" == "true" ]]; then
var_label="${HMP_PATH_ENCLABEL["/"]}" var_label="${HMP_PATH_ENCLABEL["/"]}"
VV_GRUB_CMDLINE_LINUX="${VV_GRUB_CMDLINE_LINUX:+${VV_GRUB_CMDLINE_LINUX} }cryptdevice=${VAR_CRYPT_ROOT}:cryptroot root=/dev/mapper/${var_label}" VV_GRUB_CMDLINE_LINUX="${VV_GRUB_CMDLINE_LINUX} cryptdevice=${VAR_CRYPT_ROOT}:cryptroot root=/dev/mapper/${var_label}"
fi fi
if [[ "${VAR_NUKE}" == "true" ]]; then if [[ "${VAR_NUKE}" == "true" ]]; then

76
func/cdi_4400_hardening/4445_hardening_logrotate.sh Normal file
View File

@@ -0,0 +1,76 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Hardening logrotate.
# Globals:
# TARGET
# Arguments:
# None
# Returns:
# 0: on success
#######################################
hardening_logrotate() {
### Declare Arrays, HashMaps, and Variables.
declare -ar ary_logrotate=( "alternatives" "apt" "btmp" "chrony" "dpkg" "fail2ban" "rkhunter" "ufw" "unattended-upgrades" "usbguard")
declare var_file="" var_log=""
rm -f "${TARGET}/etc/logrotate.conf"
insert_header "${TARGET}/etc/logrotate.conf"
insert_comments "${TARGET}/etc/logrotate.conf"
cat << EOF >> "${TARGET}/etc/logrotate.conf"
# See "man logrotate" for details. Global options do not affect preceding include directives.
# rotate log files daily
daily
# keep 128 daily worth of backlogs
rotate 128
# hard cap: delete rotated logs older than 384 days
maxage 384
# create new (empty) log files after rotating old ones
create
# use date as a suffix of the rotated file
dateext
# gzip older rotations
compress
# keep the most recent rotation uncompressed for one cycle
delaycompress
# packages drop log rotation information into this directory
include /etc/logrotate.d
# system-specific logs may also be configured here.
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
for var_log in "${ary_logrotate[@]}"; do
var_file="${TARGET}/etc/logrotate.d/${var_log}"
[[ -e "${var_file}" ]] || continue
### Replace leading 'monthly'/'weekly' directives with 'daily', preserving indentation and trailing comments.
sed -E -i \
-e 's/^([[:space:]]*)(monthly|weekly)([[:space:]]*)(#.*)?$/\1daily\3\4/' \
-e 's/^([[:space:]]*)rotate([[:space:]]+[0-9]+)?([[:space:]]*)(#.*)?$/\1rotate 128\3\4/' \
"${var_file}"
done
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

4
func/cdi_4500_user/4520_accounts_setup.sh
View File

@@ -669,8 +669,10 @@ EOF
cat << EOF >> "${var_lr_conf}" cat << EOF >> "${var_lr_conf}"
/var/log/sudo.log { /var/log/sudo.log {
daily daily
rotate 90 rotate 128
maxage 384
compress compress
delaycompress
missingok missingok
notifempty notifempty
create 600 root root create 600 root root

3
func/cdi_4600_packages/4610_installation_security.sh
View File

@@ -72,6 +72,7 @@ SELINUXTYPE=default
# SETLOCALDEFS= Check local definition changes # SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0 SETLOCALDEFS=0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF EOF
### Trigger a full relabeling on the first boot of the target. ### Trigger a full relabeling on the first boot of the target.
@@ -81,7 +82,7 @@ EOF
semanage port -a -t ssh_port_t -p tcp ${VAR_SSH_PORT} semanage port -a -t ssh_port_t -p tcp ${VAR_SSH_PORT}
" "
### Enable PAM SELinux modules in common-session configs ### Enable PAM SELinux modules in common-session configs.
sed -i '/^session.*required.*pam_selinux\.so/d' "${TARGET}/etc/pam.d/common-session" sed -i '/^session.*required.*pam_selinux\.so/d' "${TARGET}/etc/pam.d/common-session"
sed -i '/^session.*required.*pam_selinux\.so/d' "${TARGET}/etc/pam.d/common-session-noninteractive" sed -i '/^session.*required.*pam_selinux\.so/d' "${TARGET}/etc/pam.d/common-session-noninteractive"

6
func/cdi_4600_packages/4620_installation_verification.sh
View File

@@ -370,6 +370,12 @@ EOF
printf 'Running debsums -g - encountered errors.' >> ${var_logfile} printf 'Running debsums -g - encountered errors.' >> ${var_logfile}
fi fi
" "
chroot_script "${TARGET}" "
rkhunter --propupd 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
guard_dir && return 0 guard_dir && return 0
} }

1
meta_loader_func.sh
View File

@@ -90,6 +90,7 @@ source_guard "./func/cdi_4400_hardening/4410_kernel_sysctl.sh"
source_guard "./func/cdi_4400_hardening/4420_hardening_fail2ban.sh" source_guard "./func/cdi_4400_hardening/4420_hardening_fail2ban.sh"
source_guard "./func/cdi_4400_hardening/4430_hardening_files.sh" source_guard "./func/cdi_4400_hardening/4430_hardening_files.sh"
source_guard "./func/cdi_4400_hardening/4440_hardening_haveged.sh" source_guard "./func/cdi_4400_hardening/4440_hardening_haveged.sh"
source_guard "./func/cdi_4400_hardening/4445_hardening_logrotate.sh"
source_guard "./func/cdi_4400_hardening/4450_hardening_memory.sh" source_guard "./func/cdi_4400_hardening/4450_hardening_memory.sh"
source_guard "./func/cdi_4400_hardening/4460_hardening_openssl.sh" source_guard "./func/cdi_4400_hardening/4460_hardening_openssl.sh"
source_guard "./func/cdi_4400_hardening/4470_hardening_ufw.sh" source_guard "./func/cdi_4400_hardening/4470_hardening_ufw.sh"