V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m46s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m46s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -15,8 +15,10 @@ guard_sourcing
|
||||
#######################################
|
||||
# Prepare '/etc/skel'-Directory.
|
||||
# Globals:
|
||||
# RECOVERY
|
||||
# TARGET
|
||||
# VAR_SETUP_PATH
|
||||
# VAR_RUN_RECOVERY
|
||||
# VAR_USER_ROOT_SPECIFIC
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
@@ -24,39 +26,32 @@ guard_sourcing
|
||||
#######################################
|
||||
accounts_preparation() {
|
||||
### Declare Arrays, HashMaps, and Variables.
|
||||
declare -r var_logfile="/root/.ciss/cdi/log/4130_installation_toolset.log"
|
||||
declare -r var_logfile="/root/.ciss/cdi/log/4500_accounts_preparation.sh.log"
|
||||
declare var_target="${TARGET}"
|
||||
|
||||
chroot_logger "${TARGET}${var_logfile}"
|
||||
### Check for TARGET / RECOVERY.
|
||||
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
|
||||
|
||||
chroot_script "${TARGET}" "
|
||||
chroot_logger "${var_target}${var_logfile}"
|
||||
|
||||
chroot_script "${var_target}" "
|
||||
export INITRD=No
|
||||
apt-get install -y --no-install-recommends --no-install-suggests bash-completion fzf 2>&1 | tee -a ${var_logfile}
|
||||
"
|
||||
|
||||
mkdir -p "${TARGET}/etc/skel/.ciss"
|
||||
mkdir -p "${var_target}/etc/skel/.ciss"
|
||||
|
||||
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.bashrc" "${TARGET}/etc/skel/.bashrc"
|
||||
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${TARGET}/etc/skel/.zshrc"
|
||||
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/theme_eza_ciss.yml" "${TARGET}/etc/skel/.ciss/"
|
||||
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/alias" "${TARGET}/etc/skel/.ciss/"
|
||||
install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/check_chrony.sh" "${TARGET}/etc/skel/.ciss/"
|
||||
install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/clean_logout.sh" "${TARGET}/etc/skel/.ciss/"
|
||||
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/f2bchk" "${TARGET}/etc/skel/.ciss/"
|
||||
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/scan_libwrap" "${TARGET}/etc/skel/.ciss/"
|
||||
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/shortcuts" "${TARGET}/etc/skel/.ciss/"
|
||||
case "${VAR_USER_ROOT_SPECIFIC}" in
|
||||
|
||||
insert_comments "${TARGET}/etc/skel/.bashrc"
|
||||
insert_comments "${TARGET}/etc/skel/.zshrc"
|
||||
insert_comments "${TARGET}/etc/skel/.ciss/alias"
|
||||
insert_comments "${TARGET}/etc/skel/.ciss/check_chrony.sh"
|
||||
insert_comments "${TARGET}/etc/skel/.ciss/clean_logout.sh"
|
||||
insert_comments "${TARGET}/etc/skel/.ciss/f2bchk"
|
||||
insert_comments "${TARGET}/etc/skel/.ciss/scan_libwrap"
|
||||
insert_comments "${TARGET}/etc/skel/.ciss/shortcuts"
|
||||
"ciss") accounts_preparation_ciss ;;
|
||||
|
||||
### In order to be able to copy/paste from vim, one needs to create a '.vimrc' in every home directory with the following content:
|
||||
echo 'set clipboard=unnamed' >| "${TARGET}/etc/skel/.vimrc"
|
||||
chmod 0600 "${TARGET}/etc/skel/.vimrc"
|
||||
"physnet") accounts_preparation_physnet ;;
|
||||
|
||||
"none") do_log "info" "file_only" "4500() Account preparation [none] selected." ;;
|
||||
|
||||
*) do_log "warn" "file_only" "4500() Account preparation nothing selected. Keeping defaults." ;;
|
||||
|
||||
esac
|
||||
|
||||
guard_dir && return 0
|
||||
}
|
||||
|
||||
@@ -15,7 +15,10 @@ guard_sourcing
|
||||
#######################################
|
||||
# Account preparation CISS specific.
|
||||
# Globals:
|
||||
# None
|
||||
# RECOVERY
|
||||
# TARGET
|
||||
# VAR_RUN_RECOVERY
|
||||
# VAR_SETUP_PATH
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
@@ -23,7 +26,33 @@ guard_sourcing
|
||||
#######################################
|
||||
accounts_preparation_ciss() {
|
||||
### Declare Arrays, HashMaps, and Variables.
|
||||
declare var_target="${TARGET}"
|
||||
|
||||
### Check for TARGET / RECOVERY.
|
||||
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
|
||||
|
||||
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.bashrc" "${var_target}/etc/skel/.bashrc"
|
||||
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${var_target}/etc/skel/.zshrc"
|
||||
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/theme_eza_ciss.yml" "${var_target}/etc/skel/.ciss/"
|
||||
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/alias" "${var_target}/etc/skel/.ciss/"
|
||||
install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/check_chrony.sh" "${var_target}/etc/skel/.ciss/"
|
||||
install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/clean_logout.sh" "${var_target}/etc/skel/.ciss/"
|
||||
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/f2bchk" "${var_target}/etc/skel/.ciss/"
|
||||
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/scan_libwrap" "${var_target}/etc/skel/.ciss/"
|
||||
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.ciss/shortcuts" "${var_target}/etc/skel/.ciss/"
|
||||
|
||||
insert_comments "${var_target}/etc/skel/.bashrc"
|
||||
insert_comments "${var_target}/etc/skel/.zshrc"
|
||||
insert_comments "${var_target}/etc/skel/.ciss/alias"
|
||||
insert_comments "${var_target}/etc/skel/.ciss/check_chrony.sh"
|
||||
insert_comments "${var_target}/etc/skel/.ciss/clean_logout.sh"
|
||||
insert_comments "${var_target}/etc/skel/.ciss/f2bchk"
|
||||
insert_comments "${var_target}/etc/skel/.ciss/scan_libwrap"
|
||||
insert_comments "${var_target}/etc/skel/.ciss/shortcuts"
|
||||
|
||||
### In order to be able to copy/paste from vim, one needs to create a '.vimrc' in every home directory with the following content:
|
||||
echo 'set clipboard=unnamed' >| "${var_target}/etc/skel/.vimrc"
|
||||
chmod 0600 "${var_target}/etc/skel/.vimrc"
|
||||
guard_dir && return 0
|
||||
}
|
||||
### Prevents accidental 'unset -f'.
|
||||
|
||||
@@ -15,7 +15,9 @@ guard_sourcing
|
||||
#######################################
|
||||
# Account preparation PHYSNET specific.
|
||||
# Globals:
|
||||
# None
|
||||
# RECOVERY
|
||||
# TARGET
|
||||
# VAR_RUN_RECOVERY
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
@@ -23,6 +25,10 @@ guard_sourcing
|
||||
#######################################
|
||||
accounts_preparation_physnet() {
|
||||
### Declare Arrays, HashMaps, and Variables.
|
||||
declare var_target="${TARGET}"
|
||||
|
||||
### Check for TARGET / RECOVERY.
|
||||
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
|
||||
|
||||
guard_dir && return 0
|
||||
}
|
||||
|
||||
@@ -15,7 +15,9 @@ guard_sourcing
|
||||
#######################################
|
||||
# Hardening accounts: Google TOTP, Wordlists, masking ttys, expiration of accounts.
|
||||
# Globals:
|
||||
# RECOVERY
|
||||
# TARGET
|
||||
# VAR_RUN_RECOVERY
|
||||
# VAR_SETUP_PATH
|
||||
# Arguments:
|
||||
# None
|
||||
@@ -26,24 +28,28 @@ accounts_hardening() {
|
||||
### Declare Arrays, HashMaps, and Variables.
|
||||
declare -a ary_security_pkgs=()
|
||||
declare -r var_logfile="/root/.ciss/cdi/log/4510_accounts_hardening.log"
|
||||
declare var_target="${TARGET}"
|
||||
|
||||
chroot_logger "${TARGET}${var_logfile}"
|
||||
### Check for TARGET / RECOVERY.
|
||||
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
|
||||
|
||||
chroot_logger "${var_target}${var_logfile}"
|
||||
|
||||
### Installing Google TOTP, Wordlists.
|
||||
ary_security_pkgs=( "libpam-google-authenticator" "wamerican" "wbritish" "wfrench" "wngerman" )
|
||||
chroot_script "${TARGET}" "
|
||||
chroot_script "${var_target}" "
|
||||
export INITRD=No
|
||||
apt-get install -y --no-install-recommends --no-install-suggests ${ary_security_pkgs[*]} 2>&1 | tee -a ${var_logfile}
|
||||
"
|
||||
|
||||
### Preparing 2fa hardening.
|
||||
install -d -m 0755 -o root -g root "${TARGET}/etc/ciss"
|
||||
touch "${TARGET}/etc/ciss/2fa.users"
|
||||
chmod 0640 "${TARGET}/etc/ciss/2fa.users"
|
||||
install -d -m 0755 -o root -g root "${var_target}/etc/ciss"
|
||||
touch "${var_target}/etc/ciss/2fa.users"
|
||||
chmod 0640 "${var_target}/etc/ciss/2fa.users"
|
||||
|
||||
### Keep 'tty1' active, disable the rest.
|
||||
# shellcheck disable=SC2016
|
||||
chroot_script "${TARGET}" '
|
||||
chroot_script "${var_target}" '
|
||||
systemctl unmask getty@tty1.service
|
||||
systemctl enable getty@tty1.service
|
||||
for t in tty2 tty3 tty4 tty5 tty6; do
|
||||
@@ -52,7 +58,7 @@ accounts_hardening() {
|
||||
systemctl mask serial-getty@.service
|
||||
'
|
||||
|
||||
chroot_script "${TARGET}" "
|
||||
chroot_script "${var_target}" "
|
||||
if [[ ! -f /etc/securetty ]]; then
|
||||
touch /etc/securetty
|
||||
chmod 0600 /etc/securetty
|
||||
@@ -61,40 +67,44 @@ accounts_hardening() {
|
||||
"
|
||||
|
||||
### Hardening file permissions.
|
||||
chown root:root "${TARGET}/etc/passwd" "${TARGET}/etc/group"
|
||||
chown root:shadow "${TARGET}/etc/shadow" "${TARGET}/etc/gshadow"
|
||||
chmod 0644 "${TARGET}/etc/passwd" "${TARGET}/etc/group"
|
||||
chmod 0640 "${TARGET}/etc/shadow" "${TARGET}/etc/gshadow"
|
||||
chmod 0600 "${TARGET}/etc/security/access.conf"
|
||||
chown root:root "${var_target}/etc/passwd" "${var_target}/etc/group"
|
||||
chown root:shadow "${var_target}/etc/shadow" "${var_target}/etc/gshadow"
|
||||
chmod 0644 "${var_target}/etc/passwd" "${var_target}/etc/group"
|
||||
chmod 0640 "${var_target}/etc/shadow" "${var_target}/etc/gshadow"
|
||||
chmod 0600 "${var_target}/etc/security/access.conf"
|
||||
|
||||
### Hardening '/etc/login.defs'.
|
||||
mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc"
|
||||
mv "${TARGET}/etc/login.defs" "${TARGET}/root/.ciss/cdi/backup/etc/login.defs.bak"
|
||||
insert_header "${TARGET}/etc/login.defs"
|
||||
insert_comments "${TARGET}/etc/login.defs"
|
||||
cat "${VAR_SETUP_PATH}/includes/target/etc/login.defs" >> "${TARGET}/etc/login.defs"
|
||||
mkdir -p "${var_target}/root/.ciss/cdi/backup/etc"
|
||||
mv "${var_target}/etc/login.defs" "${var_target}/root/.ciss/cdi/backup/etc/login.defs.bak"
|
||||
insert_header "${var_target}/etc/login.defs"
|
||||
insert_comments "${var_target}/etc/login.defs"
|
||||
cat "${VAR_SETUP_PATH}/includes/target/etc/login.defs" >> "${var_target}/etc/login.defs"
|
||||
|
||||
### Hardening '/etc/security/pwquality.conf'.
|
||||
mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc/security"
|
||||
mv "${TARGET}/etc/security/pwquality.conf" "${TARGET}/root/.ciss/cdi/backup/etc/security/pwquality.conf.bak"
|
||||
insert_header "${TARGET}/etc/security/pwquality.conf"
|
||||
insert_comments "${TARGET}/etc/security/pwquality.conf"
|
||||
cat "${VAR_SETUP_PATH}/includes/target/etc/security/pwquality.cnf" >> "${TARGET}/etc/security/pwquality.conf"
|
||||
mkdir -p "${var_target}/root/.ciss/cdi/backup/etc/security"
|
||||
mv "${var_target}/etc/security/pwquality.conf" "${var_target}/root/.ciss/cdi/backup/etc/security/pwquality.conf.bak"
|
||||
insert_header "${var_target}/etc/security/pwquality.conf"
|
||||
insert_comments "${var_target}/etc/security/pwquality.conf"
|
||||
cat "${VAR_SETUP_PATH}/includes/target/etc/security/pwquality.cnf" >> "${var_target}/etc/security/pwquality.conf"
|
||||
|
||||
### Hardening '/etc/security/access.conf'.
|
||||
mv "${TARGET}/etc/security/access.conf" "${TARGET}/root/.ciss/cdi/backup/etc/security/access.conf.bak"
|
||||
insert_header "${TARGET}/etc/security/access.conf"
|
||||
insert_comments "${TARGET}/etc/security/access.conf"
|
||||
cat "${VAR_SETUP_PATH}/includes/target/etc/security/access.cnf" >> "${TARGET}/etc/security/access.conf"
|
||||
mv "${var_target}/etc/security/access.conf" "${var_target}/root/.ciss/cdi/backup/etc/security/access.conf.bak"
|
||||
insert_header "${var_target}/etc/security/access.conf"
|
||||
insert_comments "${var_target}/etc/security/access.conf"
|
||||
cat "${VAR_SETUP_PATH}/includes/target/etc/security/access.cnf" >> "${var_target}/etc/security/access.conf"
|
||||
|
||||
### Hardening password expiration; defaults to 16,384 days.
|
||||
install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/chroot/hooks/4510_password_expiration.hooks.sh" \
|
||||
"${TARGET}/root/.ciss/cdi/hooks/4510_password_expiration.hooks.sh"
|
||||
"${var_target}/root/.ciss/cdi/hooks/4510_password_expiration.hooks.sh"
|
||||
|
||||
if ! chroot_script "${var_target}" "/root/.ciss/cdi/hooks/4510_password_expiration.hooks.sh" "emergency"; then
|
||||
|
||||
do_log "warn" "file_only" "4510() Command: [chroot_script ${var_target} /root/.ciss/cdi/hooks/4510_password_expiration.hooks.sh emergency] failed."
|
||||
|
||||
if ! chroot_script "${TARGET}" "/root/.ciss/cdi/hooks/4510_password_expiration.hooks.sh" "emergency"; then
|
||||
do_log "warn" "file_only" "4510() Command: [chroot_script ${TARGET} /root/.ciss/cdi/hooks/4510_password_expiration.hooks.sh emergency] failed."
|
||||
else
|
||||
do_log "debug" "file_only" "4510() Command: [chroot_script ${TARGET} /root/.ciss/cdi/hooks/4510_password_expiration.hooks.sh emergency] successful."
|
||||
|
||||
do_log "debug" "file_only" "4510() Command: [chroot_script ${var_target} /root/.ciss/cdi/hooks/4510_password_expiration.hooks.sh emergency] successful."
|
||||
|
||||
fi
|
||||
|
||||
guard_dir && return 0
|
||||
|
||||
@@ -21,17 +21,19 @@ guard_sourcing
|
||||
#######################################
|
||||
# Updating user accounts.
|
||||
# Globals:
|
||||
# RECOVERY
|
||||
# TARGET
|
||||
# VAR_RUN_RECOVERY
|
||||
# VAR_SETUP_PATH
|
||||
# VAR_TEMP_PLAIN_MFA_SEED
|
||||
# VAR_USER_MAX
|
||||
# VAR_USER_ROOT_SPECIFIC
|
||||
# user_root_authentication_2fa_ssh
|
||||
# user_root_authentication_2fa_tty
|
||||
# user_root_authentication_access_ssh
|
||||
# user_root_authentication_access_tty
|
||||
# user_root_authentication_password
|
||||
# user_root_shell
|
||||
# user_root_specific
|
||||
# user_root_sshpubkey
|
||||
# Arguments:
|
||||
# None
|
||||
@@ -79,7 +81,7 @@ accounts_setup() {
|
||||
|
||||
if [[ -x "${var_target}${user_root_shell}" ]]; then
|
||||
|
||||
case "${user_root_specific,,}" in
|
||||
case "${VAR_USER_ROOT_SPECIFIC,,}" in
|
||||
|
||||
"ciss")
|
||||
zsh_omz_installer "root" "${var_target}"
|
||||
|
||||
@@ -15,7 +15,9 @@ guard_sourcing
|
||||
#######################################
|
||||
# Account setup CISS specific.
|
||||
# Globals:
|
||||
# None
|
||||
# RECOVERY
|
||||
# TARGET
|
||||
# VAR_RUN_RECOVERY
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
@@ -23,6 +25,10 @@ guard_sourcing
|
||||
#######################################
|
||||
accounts_setup_ciss() {
|
||||
### Declare Arrays, HashMaps, and Variables.
|
||||
declare var_target="${TARGET}"
|
||||
|
||||
### Check for TARGET / RECOVERY.
|
||||
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
|
||||
|
||||
guard_dir && return 0
|
||||
}
|
||||
|
||||
@@ -15,7 +15,9 @@ guard_sourcing
|
||||
#######################################
|
||||
# Account setup PHYSNET specific.
|
||||
# Globals:
|
||||
# None
|
||||
# RECOVERY
|
||||
# TARGET
|
||||
# VAR_RUN_RECOVERY
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
@@ -23,6 +25,10 @@ guard_sourcing
|
||||
#######################################
|
||||
accounts_setup_physnet() {
|
||||
### Declare Arrays, HashMaps, and Variables.
|
||||
declare var_target="${TARGET}"
|
||||
|
||||
### Check for TARGET / RECOVERY.
|
||||
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
|
||||
|
||||
guard_dir && return 0
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user