V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-09-25 21:56:59 +01:00
parent 44a1f50bc9
commit b338569f14
8 changed files with 101 additions and 14 deletions
--- a/.preseed/preseed.yaml
+++ b/.preseed/preseed.yaml
@@ -719,32 +719,29 @@ software:
  # Installed by 4600_installation_packages.sh
  ##############################################################################################################################
  - bat
-  - borgbackup
-  - borgbackup-doc
-  - dhcpdump
-  - dhcping
  - dialog
  - expect
  - htop
  - iftop
  - locate
  - man-db
-  - manpages
-  - manpages-dev
  - mdadm
  - mtr
  - ncat
-  - rsnapshot
  - rsync
  - sysstat
-  - unzip
  - zip
  ##############################################################################################################################
-  # diagnostics
+  # backup and diagnostics
  ##############################################################################################################################
+  #- borgbackup
+  #- borgbackup-doc
+  #- dhcpdump
+  #- dhcping
  #- knot-dnssecutils
  #- knot-dnsutils
  #- nmap
+  #- rsnapshot
  #- spectre-meltdown-checker
  #- tshark
  ##############################################################################################################################
@@ -758,6 +755,8 @@ software:
  #- debootstrap
  #- linux-source
  #- lld
+  #- manpages
+  #- manpages-dev
  #- shellcheck
  #- ssl-cert
  ##############################################################################################################################
--- a/ciss_debian_installer.sh
+++ b/ciss_debian_installer.sh
@@ -333,6 +333,8 @@ info_echo "4480_hardening_usb.sh"
 hardening_usb
 info_echo "4490_hardening_virus.sh"
 hardening_virus
+info_echo "4445_hardening_logrotate.sh"
+hardening_logrotate

 ### CDI_4500
 info_echo "4500_accounts_preparation.sh"
--- a/func/cdi_4200_boot/4250_update_grub_bootparameter.sh
+++ b/func/cdi_4200_boot/4250_update_grub_bootparameter.sh
@@ -58,18 +58,18 @@ update_grub_bootparameter() {

  if [[ "${VAR_SEC_FW}" == "apparmor" ]]; then

-    VV_GRUB_CMDLINE_LINUX="${VV_GRUB_CMDLINE_LINUX} apparmor=1 security=apparmor lsm=lockdown,yama,integrity,apparmor,bpf"
+    VV_GRUB_CMDLINE_LINUX="${VV_GRUB_CMDLINE_LINUX:+${VV_GRUB_CMDLINE_LINUX} }apparmor=1 security=apparmor lsm=lockdown,yama,integrity,apparmor,bpf"

  elif [[ "${VAR_SEC_FW}" == "selinux" ]]; then

    ### We start in permissive mode first, so we don't pass 'enforcing=1' through the command line.
-    VV_GRUB_CMDLINE_LINUX="${VV_GRUB_CMDLINE_LINUX} selinux=1 security=selinux"
+    VV_GRUB_CMDLINE_LINUX="${VV_GRUB_CMDLINE_LINUX:+${VV_GRUB_CMDLINE_LINUX} }selinux=1 security=selinux"

  fi

  if [[ "${VAR_DROPBEAR}" == "true" ]]; then
    var_label="${HMP_PATH_ENCLABEL["/"]}"
-    VV_GRUB_CMDLINE_LINUX="${VV_GRUB_CMDLINE_LINUX:+${VV_GRUB_CMDLINE_LINUX} }cryptdevice=${VAR_CRYPT_ROOT}:cryptroot root=/dev/mapper/${var_label}"
+    VV_GRUB_CMDLINE_LINUX="${VV_GRUB_CMDLINE_LINUX} cryptdevice=${VAR_CRYPT_ROOT}:cryptroot root=/dev/mapper/${var_label}"
  fi

  if [[ "${VAR_NUKE}" == "true" ]]; then
--- a/func/cdi_4400_hardening/4445_hardening_logrotate.sh
+++ b/func/cdi_4400_hardening/4445_hardening_logrotate.sh
@@ -0,0 +1,76 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Hardening logrotate.
+# Globals:
+#   TARGET
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+hardening_logrotate() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -ar  ary_logrotate=( "alternatives" "apt" "btmp" "chrony" "dpkg" "fail2ban" "rkhunter" "ufw" "unattended-upgrades" "usbguard")
+  declare      var_file="" var_log=""
+
+  rm -f           "${TARGET}/etc/logrotate.conf"
+  insert_header   "${TARGET}/etc/logrotate.conf"
+  insert_comments "${TARGET}/etc/logrotate.conf"
+  cat << EOF >>   "${TARGET}/etc/logrotate.conf"
+# See "man logrotate" for details. Global options do not affect preceding include directives.
+
+# rotate log files daily
+daily
+
+# keep 128 daily worth of backlogs
+rotate 128
+
+# hard cap: delete rotated logs older than 384 days
+maxage 384
+
+# create new (empty) log files after rotating old ones
+create
+
+# use date as a suffix of the rotated file
+dateext
+
+# gzip older rotations
+compress
+
+# keep the most recent rotation uncompressed for one cycle
+delaycompress
+
+# packages drop log rotation information into this directory
+include /etc/logrotate.d
+
+# system-specific logs may also be configured here.
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+  for var_log in "${ary_logrotate[@]}"; do
+    var_file="${TARGET}/etc/logrotate.d/${var_log}"
+    [[ -e "${var_file}" ]] || continue
+    ### Replace leading 'monthly'/'weekly' directives with 'daily', preserving indentation and trailing comments.
+    sed -E -i \
+      -e 's/^([[:space:]]*)(monthly|weekly)([[:space:]]*)(#.*)?$/\1daily\3\4/' \
+      -e 's/^([[:space:]]*)rotate([[:space:]]+[0-9]+)?([[:space:]]*)(#.*)?$/\1rotate 128\3\4/' \
+      "${var_file}"
+  done
+
+  guard_dir && return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4500_user/4520_accounts_setup.sh
+++ b/func/cdi_4500_user/4520_accounts_setup.sh
@@ -669,8 +669,10 @@ EOF
    cat << EOF >>   "${var_lr_conf}"
 /var/log/sudo.log {
    daily
-    rotate 90
+    rotate 128
+    maxage 384
    compress
+    delaycompress
    missingok
    notifempty
    create 600 root root
--- a/func/cdi_4600_packages/4610_installation_security.sh
+++ b/func/cdi_4600_packages/4610_installation_security.sh
@@ -72,6 +72,7 @@ SELINUXTYPE=default
 # SETLOCALDEFS= Check local definition changes
 SETLOCALDEFS=0

+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF

    ### Trigger a full relabeling on the first boot of the target.
@@ -81,7 +82,7 @@ EOF
      semanage port -a -t ssh_port_t -p tcp ${VAR_SSH_PORT}
    "

-    ### Enable PAM SELinux modules in common-session configs
+    ### Enable PAM SELinux modules in common-session configs.
    sed -i '/^session.*required.*pam_selinux\.so/d' "${TARGET}/etc/pam.d/common-session"
    sed -i '/^session.*required.*pam_selinux\.so/d' "${TARGET}/etc/pam.d/common-session-noninteractive"

--- a/func/cdi_4600_packages/4620_installation_verification.sh
+++ b/func/cdi_4600_packages/4620_installation_verification.sh
@@ -370,6 +370,12 @@ EOF
      printf 'Running debsums -g - encountered errors.' >> ${var_logfile}
    fi
  "
+
+  chroot_script "${TARGET}" "
+    rkhunter --propupd 2>&1 | tee -a ${var_logfile}
+    echo ExitCode: \$? >> ${var_logfile}
+  "
+
  guard_dir && return 0
 }

--- a/meta_loader_func.sh
+++ b/meta_loader_func.sh
@@ -90,6 +90,7 @@ source_guard "./func/cdi_4400_hardening/4410_kernel_sysctl.sh"
 source_guard "./func/cdi_4400_hardening/4420_hardening_fail2ban.sh"
 source_guard "./func/cdi_4400_hardening/4430_hardening_files.sh"
 source_guard "./func/cdi_4400_hardening/4440_hardening_haveged.sh"
+source_guard "./func/cdi_4400_hardening/4445_hardening_logrotate.sh"
 source_guard "./func/cdi_4400_hardening/4450_hardening_memory.sh"
 source_guard "./func/cdi_4400_hardening/4460_hardening_openssl.sh"
 source_guard "./func/cdi_4400_hardening/4470_hardening_ufw.sh"