msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 55s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-09-10 10:37:51 +02:00
parent 92ef69cc2e
commit ba716d35d5
7 changed files with 395 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
func/cdi_4500_user/4510_accounts_hardening.sh
View File

@@ -38,14 +38,27 @@ accounts_hardening() {
echo ExitCode: \$? >> ${var_logfile}
"
### Keep 'tty1' active, disable the rest (VTs).
### Preparing 2fa hardening.
install -d -m 0755 -o root -g root "${TARGET}/etc/ciss"
touch "${TARGET}/etc/ciss/2fa.users"
chmod 0640 "${TARGET}/etc/ciss/2fa.users"
### Keep 'tty1' active, disable the rest.
chroot_script "${TARGET}" "
systemctl unmask getty@tty1.service
systemctl enable getty@tty1.service
for t in tty2 tty3 tty4 tty5 tty6; do
systemctl mask getty@${t}.service
done
"
systemctl mask serial-getty@.service
"
### Hardening file permissions.
chown root:root "${TARGET}/etc/passwd" "${TARGET}/etc/group"
chown root:shadow "${TARGET}/etc/shadow" "${TARGET}/etc/gshadow"
chmod 0644 "${TARGET}/etc/passwd" "${TARGET}/etc/group"
chmod 0640 "${TARGET}/etc/shadow" "${TARGET}/etc/gshadow"
chmod 0600 "${TARGET}/etc/securetty" "${TARGET}/etc/security/access.conf"
### Hardening '/etc/login.defs'.
mv "${TARGET}/etc/login.defs" "${TARGET}/root/.ciss/cdi/backup/etc/login.defs.bak"
@@ -60,6 +73,12 @@ accounts_hardening() {
insert_comments "${TARGET}/etc/security/pwquality.conf"
cat "${VAR_SETUP_PATH}/includes/target/etc/security/pwquality.cnf" >> "${TARGET}/etc/security/pwquality.conf"
### Hardening '/etc/security/access.conf'.
mv "${TARGET}/etc/security/access.conf" "${TARGET}/root/.ciss/cdi/backup/etc/security/access.conf.bak"
insert_header "${TARGET}/etc/security/access.conf"
insert_comments "${TARGET}/etc/security/access.conf"
cat "${VAR_SETUP_PATH}/includes/target/etc/security/access.cnf" >> "${TARGET}/etc/security/access.conf"
### Hardening password expiration; defaults to 16,384 days.
install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/chroot/hooks/4510_password_expiration.hooks.sh" \
"${TARGET}/root/.ciss/cdi/hooks/4510_password_expiration.hooks.sh"