V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-09-10 22:56:54 +02:00
parent e65e3471ce
commit d17f60870d
3 changed files with 114 additions and 7 deletions
--- a/func/cdi_4500_user/4520_accounts_setup.sh
+++ b/func/cdi_4500_user/4520_accounts_setup.sh
@@ -40,7 +40,7 @@ accounts_setup() {
              tmp_access_tty="" tmp_auth_pwd="" tmp_2fa_ssh="" tmp_2fa_tty="" tmp_sudo="" tmp_restricted=""
  declare     var_username="" var_fullname="" var_uid="" var_gid="" var_shell="" var_password="" var_sshpubkey="" \
              var_access_tty="" var_auth_pwd="" var_2fa_ssh="" var_2fa_tty="" var_sudo="" var_restricted=""
-  declare     var_chpasswd="" var_pam_login="/etc/pam.d/login"
+  declare     var_chpasswd="" var_pam_login="/etc/pam.d/login" var_ssh_totp_update="false"

  chroot_logger "${TARGET}${var_logfile}"

@@ -158,10 +158,19 @@ EOF
  fi

  ### 6) Update the 'root' 'totp'-policy and write the '.google_authenticator'-file.
-  [[ "${user_root_authentication_2fa_ssh}" == "true" || "${user_root_authentication_2fa_tty}" == "true" ]] && \
+  if [[ "${user_root_authentication_2fa_ssh}" == "true" || "${user_root_authentication_2fa_tty}" == "true" ]]; then
    write_google_authenticator_file "root"
+  fi

-  [[ "${user_root_authentication_2fa_ssh}" == "true" ]] && pam_access_totp_enable "root" "sshd"
+  if [[ "${user_root_authentication_2fa_ssh}" == "true" ]]; then
+    pam_access_totp_enable "root" "sshd"
+    var_ssh_totp_update="true"
+    cat << EOF >> "${TARGET}/etc/ssh/sshd_config"
+Match User root
+    AuthenticationMethods    publickey,keyboard-interactive:pam
+
+EOF
+  fi

  [[ "${user_root_authentication_2fa_tty}" == "true" ]] && pam_access_totp_enable "root" "login"

@@ -306,16 +315,26 @@ EOF
    fi

    ### 6) Update the 'root' 'totp'-policy and write the '.google_authenticator'-file.
-    [[ "${var_2fa_ssh}" == "true" || "${var_2fa_tty}" == "true" ]] && \
+    if [[ "${var_2fa_ssh}" == "true" || "${var_2fa_tty}" == "true" ]]; then
      write_google_authenticator_file "${var_username}"
+    fi

-    [[ "${var_2fa_ssh}" == "true" ]] && pam_access_totp_enable "${var_username}" "sshd"
+    if [[ "${var_2fa_ssh}" == "true" ]]; then
+      pam_access_totp_enable "${var_username}" "sshd"
+      var_ssh_totp_update="true"
+      cat << EOF >> "${TARGET}/etc/ssh/sshd_config"
+Match User ${var_username}
+    AuthenticationMethods    publickey,keyboard-interactive:pam
+
+EOF
+    fi

    [[ "${var_2fa_tty}" == "true" ]] && pam_access_totp_enable "${var_username}" "login"

    ### 7) Check sudo membership for user.
    if [[ "${var_sudo}" == "true" ]]; then
      chroot_exec "${TARGET}" usermod -aG sudo "${var_username}"
+      hardening_sudo "${var_username}"
    fi

    ### 8) Final status logging.
@@ -323,9 +342,14 @@ EOF

  done

+  if [[ "${var_ssh_totp_update}" == "true" ]]; then
+    sed -i -E "s|^[[:space:]]*KbdInteractiveAuthentication[[:space:]]+.*$|$(printf '%-29s%s' 'KbdInteractiveAuthentication' 'yes')|" "${TARGET}/etc/ssh/sshd_config"
+  fi
+
  unset VAR_TEMP_PLAIN_MFA_SEED
  printf "-: ALL:ALL \n" >> "${TARGET}/etc/security/access.conf"
  printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${TARGET}/etc/security/access.conf"
+  printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${TARGET}/etc/ssh/sshd_conf"

  guard_dir && return 0
 }
@@ -367,6 +391,89 @@ generate_totp_secret() {
  return 0
 }

+#######################################
+# Hardening sudo users.
+# Globals:
+#   TARGET
+# Arguments:
+#   1: <username>
+# Returns:
+#   0: on success
+#   ERR_VERIFY_LOGROTATE: on failure
+#   ERR_VERIFY_VISUDO: on failure
+#######################################
+hardening_sudo() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare     var_user="$1"
+  declare -r  var_logfile="/root/.ciss/cdi/log/4520_accounts_setup.log"
+
+  ### Create sudo log directory.
+  mkdir -p "${TARGET}/var/log/sudo-io"
+  find "${TARGET}/var/log/sudo-io" -type d -exec chmod 0700 {} \;
+
+  ### Create sudoers logfile directive.
+  cat << EOF >> "${TARGET}/etc/sudoers"
+
+##### Added by CISS.debian.installer
+Defaults log_host, log_year, log_input, log_exit_status, log_subcmds, logfile="/var/log/sudo.log", iolog_dir="/var/log/sudo-io"
+EOF
+
+  ### Create sudoers user directive.
+  touch "${TARGET}/etc/sudoers.d/user_${var_user}"
+  cat << EOF >> "${TARGET}/etc/sudoers.d/user_${var_user}"
+${var_user} ALL=NOPASSWD: ALL
+EOF
+
+  ### Set '/etc/sudoers.d' file permissions to 0440.
+  find "${TARGET}/etc/sudoers.d" -type f -exec chmod 0440 {} \;
+
+  ### Verify written '/etc/sudoers.d' configuration.
+  if ! chroot_script "${TARGET}" "export EDITOR=/usr/bin/nano /usr/sbin/visudo -q -c >> ${var_logfile}"; then
+
+    do_log "warn" "file_only" "Command: [chroot_script ${TARGET} export EDITOR=/usr/bin/nano /usr/sbin/visudo -q -c] failed."
+
+    return "${ERR_VERIFY_VISUDO}"
+
+  else
+
+    do_log "info" "file_only" "Command: [chroot_script ${TARGET} export EDITOR=/usr/bin/nano /usr/sbin/visudo -q -c] successful."
+
+  fi
+
+  ### Create sudo log rotation directive.
+  insert_header   "${TARGET}/etc/logrotate.d/sudo"
+  insert_comments "${TARGET}/etc/logrotate.d/sudo"
+  cat << EOF >>   "${TARGET}/etc/logrotate.d/sudo"
+/var/log/sudo.log {
+    daily
+    rotate 90
+    compress
+    missingok
+    notifempty
+    create 600 root root
+    sharedscripts
+    postrotate
+        /usr/bin/systemctl reload sudo.service > /dev/null 2>&1 || true
+    endscript
+}
+EOF
+
+  ### Verify written sudo log rotation configuration.
+  if ! chroot_script "${TARGET}" "logrotate -d /etc/logrotate.conf >> ${var_logfile}"; then
+
+    do_log "warn" "file_only" "Command: [chroot_script ${TARGET} logrotate -d /etc/logrotate.conf] failed."
+
+    return "${ERR_VERIFY_LOGROTATE}"
+
+  else
+
+    do_log "info" "file_only" "Command: [chroot_script ${TARGET} logrotate -d /etc/logrotate.conf] successful."
+
+  fi
+
+  return 0
+}
+
 #######################################
 # Ensure the 'pam_access' line is not activated in '/etc/pam.d/login' and '/etc/pam.d/sshd' in parallel.
 # Globals: