V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 53s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 53s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -25,13 +25,13 @@ guard_sourcing
|
||||
accounts_preparation() {
|
||||
mkdir -p "${TARGET}/etc/skel/.ciss"
|
||||
|
||||
install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.bashrc" "${TARGET}/etc/skel/.bashrc"
|
||||
install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${TARGET}/etc/skel/.zshrc"
|
||||
install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/alias" "${TARGET}/etc/skel/.ciss/alias"
|
||||
install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/clean_logout.sh" "${TARGET}/etc/skel/.ciss/clean_logout.sh"
|
||||
install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/f2bchk.sh" "${TARGET}/etc/skel/.ciss/f2bchk.sh"
|
||||
install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/scan_libwrap" "${TARGET}/etc/skel/.ciss/scan_libwrap"
|
||||
install -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/shortcuts" "${TARGET}/etc/skel/.ciss/shortcuts"
|
||||
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.bashrc" "${TARGET}/etc/skel/.bashrc"
|
||||
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/skel/.zshrc" "${TARGET}/etc/skel/.zshrc"
|
||||
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/alias" "${TARGET}/etc/skel/.ciss/alias"
|
||||
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/clean_logout.sh" "${TARGET}/etc/skel/.ciss/clean_logout.sh"
|
||||
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/f2bchk.sh" "${TARGET}/etc/skel/.ciss/f2bchk.sh"
|
||||
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/scan_libwrap" "${TARGET}/etc/skel/.ciss/scan_libwrap"
|
||||
install -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/root/.ciss/shortcuts" "${TARGET}/etc/skel/.ciss/shortcuts"
|
||||
|
||||
insert_comments "${TARGET}/etc/skel/.bashrc"
|
||||
insert_comments "${TARGET}/etc/skel/.zshrc"
|
||||
@@ -43,7 +43,7 @@ accounts_preparation() {
|
||||
|
||||
### In order to be able to copy/paste from vim, one needs to create a '.vimrc' in every home directory with the following content:
|
||||
echo 'set clipboard=unnamed' >| "${TARGET}/etc/skel/.vimrc"
|
||||
chmod 0644 "${TARGET}/etc/skel/.vimrc"
|
||||
chmod 0600 "${TARGET}/etc/skel/.vimrc"
|
||||
|
||||
guard_dir && return 0
|
||||
}
|
||||
|
||||
@@ -13,15 +13,62 @@
|
||||
guard_sourcing
|
||||
|
||||
#######################################
|
||||
#
|
||||
# Hardening accounts: Google TOTP, Wordlists, masking ttys, expiration of accounts.
|
||||
# Globals:
|
||||
# TARGET
|
||||
# VAR_SETUP_PATH
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
# 0: on success
|
||||
#######################################
|
||||
accounts_hardening() {
|
||||
### Declare Arrays, HashMaps, and Variables.
|
||||
declare -a ary_security_pkgs=()
|
||||
declare -r var_logfile="/root/.ciss/cdi/log/4510_accounts_hardening.log"
|
||||
declare t=""
|
||||
|
||||
chroot_logger "${TARGET}${var_logfile}"
|
||||
|
||||
### Installing Google TOTP, Wordlists.
|
||||
ary_security_pkgs=( "libpam-google-authenticator" "wamerican" "wbritish" "wfrench" "wngerman" )
|
||||
chroot_script "${TARGET}" "
|
||||
export INITRD=No
|
||||
apt-get install -y --no-install-recommends --no-install-suggests ${ary_security_pkgs[*]} 2>&1 | tee -a ${var_logfile}
|
||||
echo ExitCode: \$? >> ${var_logfile}
|
||||
"
|
||||
|
||||
### Keep 'tty1' active, disable the rest (VTs).
|
||||
chroot_script "${TARGET}" "
|
||||
systemctl unmask getty@tty1.service
|
||||
systemctl enable getty@tty1.service
|
||||
for t in tty2 tty3 tty4 tty5 tty6; do
|
||||
systemctl mask getty@${t}.service
|
||||
done
|
||||
"
|
||||
|
||||
### Hardening '/etc/login.defs'.
|
||||
mv "${TARGET}/etc/login.defs" "${TARGET}/root/.ciss/cdi/backup/etc/login.defs.bak"
|
||||
insert_header "${TARGET}/etc/login.defs"
|
||||
insert_comments "${TARGET}/etc/login.defs"
|
||||
cat "${VAR_SETUP_PATH}/includes/target/etc/login.defs" >> "${TARGET}/etc/login.defs"
|
||||
|
||||
### Hardening '/etc/security/pwquality.conf'.
|
||||
mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc/security"
|
||||
mv "${TARGET}/etc/security/pwquality.conf" "${TARGET}/root/.ciss/cdi/backup/etc/security/pwquality.conf.bak"
|
||||
insert_header "${TARGET}/etc/security/pwquality.conf"
|
||||
insert_comments "${TARGET}/etc/security/pwquality.conf"
|
||||
cat "${VAR_SETUP_PATH}/includes/target/etc/security/pwquality.cnf" >> "${TARGET}/etc/security/pwquality.conf"
|
||||
|
||||
### Hardening password expiration; defaults to 16,384 days.
|
||||
install -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/chroot/hooks/4510_password_expiration.hooks.sh" \
|
||||
"${TARGET}/root/.ciss/cdi/hooks/4510_password_expiration.hooks.sh"
|
||||
|
||||
if ! chroot_script "${TARGET}" "/root/.ciss/cdi/hooks/4510_password_expiration.hooks.sh" "emergency"; then
|
||||
do_log "warn" "file_only" "4510() Command: [chroot_script ${TARGET} /root/.ciss/cdi/hooks/4510_password_expiration.hooks.sh emergency] failed."
|
||||
else
|
||||
do_log "debug" "file_only" "4510() Command: [chroot_script ${TARGET} /root/.ciss/cdi/hooks/4510_password_expiration.hooks.sh emergency] successful."
|
||||
fi
|
||||
|
||||
guard_dir && return 0
|
||||
}
|
||||
|
||||
@@ -29,23 +29,13 @@ guard_sourcing
|
||||
#######################################
|
||||
accounts_setup() {
|
||||
### Declare Arrays, HashMaps, and Variables.
|
||||
declare -i i
|
||||
declare tmp_username="" tmp_fullname="" tmp_uid="" tmp_gid="" tmp_shell="" tmp_password="" tmp_sshpubkey="" tmp_sudo="" \
|
||||
tmp_restricted=""
|
||||
declare var_username="" var_fullname="" var_uid="" var_gid="" var_shell="" var_password="" var_sshpubkey="" var_sudo="" \
|
||||
var_restricted="" var_chpasswd="" var_sshdir=""
|
||||
declare -i i=0
|
||||
declare tmp_username="" tmp_fullname="" tmp_uid="" tmp_gid="" tmp_shell="" tmp_password="" tmp_sshpubkey="" tmp_sudo="" \
|
||||
tmp_restricted=""
|
||||
declare var_username="" var_fullname="" var_uid="" var_gid="" var_shell="" var_password="" var_sshpubkey="" var_sudo="" \
|
||||
var_restricted="" var_chpasswd="" var_sshdir=""
|
||||
|
||||
### Hardening '/etc/login.defs'
|
||||
rm -f "${TARGET}/etc/login.defs"
|
||||
insert_header "${TARGET}/etc/login.defs"
|
||||
insert_comments "${TARGET}/etc/login.defs"
|
||||
cat "${VAR_SETUP_PATH}/includes/target/etc/login.defs" >> "${TARGET}/etc/login.defs"
|
||||
|
||||
### Hardening '/etc/security/pwquality.conf'
|
||||
rm -f "${TARGET}/etc/security/pwquality.conf"
|
||||
insert_header "${TARGET}/etc/security/pwquality.conf"
|
||||
insert_comments "${TARGET}/etc/security/pwquality.conf"
|
||||
cat "${VAR_SETUP_PATH}/includes/target/etc/security/pwquality.cnf" >> "${TARGET}/etc/security/pwquality.conf"
|
||||
|
||||
### Preparing the root account
|
||||
chown root:root "${TARGET}/etc/passwd" "${TARGET}/etc/shadow" "${TARGET}/etc/group" "${TARGET}/etc/gshadow"
|
||||
@@ -55,6 +45,7 @@ accounts_setup() {
|
||||
if [[ -x "${TARGET}${user_root_shell}" ]]; then
|
||||
chroot_exec "${TARGET}" chsh -s "${user_root_shell}" root
|
||||
else
|
||||
chroot_exec "${TARGET}" chsh -s /bin/bash root
|
||||
do_log "warn" "file_only" "4500() Shell: '${user_root_shell}' not found for: 'root'. Using '/bin/bash' instead."
|
||||
fi
|
||||
|
||||
@@ -185,8 +176,7 @@ write_google_authenticator_file() {
|
||||
esac
|
||||
declare -i i=0
|
||||
|
||||
### TODO: PASSWORD REMINDER START:NOT ACTIVE
|
||||
#guard_trace on
|
||||
guard_trace on
|
||||
|
||||
var_secret="$(generate_totp_secret "${var_user}")"
|
||||
|
||||
@@ -202,8 +192,7 @@ write_google_authenticator_file() {
|
||||
for i in {0..7}; do printf '%08d\n' "$(( RANDOM % 100000000 ))"; done
|
||||
} >| "${var_base}/.google_authenticator"
|
||||
|
||||
### TODO: PASSWORD REMINDER STOP:NOT ACTIVE
|
||||
#guard_trace off
|
||||
guard_trace off
|
||||
|
||||
chown "${var_user}:${var_user}" "${var_base}/.google_authenticator"
|
||||
|
||||
@@ -235,8 +224,7 @@ generate_totp_secret() {
|
||||
declare var_info="${user_mfa_info}"
|
||||
declare var_secret=""
|
||||
|
||||
### TODO: PASSWORD REMINDER START:NOT ACTIVE
|
||||
#guard_trace on
|
||||
guard_trace on
|
||||
|
||||
### Derive 20 bytes via HKDF-SHA256 using OpenSSL 3 kdf, output as raw, then base32 (uppercase, no padding).
|
||||
# shellcheck disable=SC2312
|
||||
@@ -245,8 +233,7 @@ generate_totp_secret() {
|
||||
-kdfopt salt:"${var_salt}" -kdfopt info:"${var_info}" -binary HKDF | base32 | tr -d '=' | tr '[:lower:]' '[:upper:]'
|
||||
)"
|
||||
|
||||
### TODO: PASSWORD REMINDER STOP:NOT ACTIVE
|
||||
#guard_trace off
|
||||
guard_trace off
|
||||
|
||||
printf '%s\n' "${var_secret}"
|
||||
return 0
|
||||
@@ -268,8 +255,7 @@ read_totp_seed(){
|
||||
declare -r var_mfa_seed_file="${DIR_CNF}/mfa_master.txt"
|
||||
declare -g VAR_TEMP_PLAIN_MFA_SEED=""
|
||||
|
||||
### TODO: PASSWORD REMINDER START:NOT ACTIVE
|
||||
#guard_trace on
|
||||
guard_trace on
|
||||
|
||||
if ! read_password_file "${var_mfa_seed_file}" VAR_TEMP_PLAIN_MFA_SEED; then
|
||||
|
||||
@@ -280,8 +266,7 @@ read_totp_seed(){
|
||||
### Validate: exactly 64 hex.
|
||||
[[ "${VAR_TEMP_PLAIN_MFA_SEED}" =~ ^[0-9a-fA-F]{64}$ ]] || return "${ERR_READ_SEED_FILE}"
|
||||
|
||||
### TODO: PASSWORD REMINDER STOP:NOT ACTIVE
|
||||
#guard_trace off
|
||||
guard_trace off
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user