V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_4500_user/4520_accounts_setup.sh

@@ -40,7 +40,7 @@ accounts_setup() {
               tmp_access_tty="" tmp_auth_pwd="" tmp_2fa_ssh="" tmp_2fa_tty="" tmp_sudo="" tmp_restricted=""
   declare     var_username="" var_fullname="" var_uid="" var_gid="" var_shell="" var_password="" var_sshpubkey="" \
               var_access_tty="" var_auth_pwd="" var_2fa_ssh="" var_2fa_tty="" var_sudo="" var_restricted=""
-  declare     var_chpasswd="" var_pam_login="/etc/pam.d/login"
+  declare     var_chpasswd="" var_pam_login="/etc/pam.d/login" var_ssh_totp_update="false"
 
   chroot_logger "${TARGET}${var_logfile}"
 
@@ -158,10 +158,19 @@ EOF
   fi
 
   ### 6) Update the 'root' 'totp'-policy and write the '.google_authenticator'-file.
-  [[ "${user_root_authentication_2fa_ssh}" == "true" || "${user_root_authentication_2fa_tty}" == "true" ]] && \
+  if [[ "${user_root_authentication_2fa_ssh}" == "true" || "${user_root_authentication_2fa_tty}" == "true" ]]; then
     write_google_authenticator_file "root"
+  fi
 
-  [[ "${user_root_authentication_2fa_ssh}" == "true" ]] && pam_access_totp_enable "root" "sshd"
+  if [[ "${user_root_authentication_2fa_ssh}" == "true" ]]; then
+    pam_access_totp_enable "root" "sshd"
+    var_ssh_totp_update="true"
+    cat << EOF >> "${TARGET}/etc/ssh/sshd_config"
+Match User root
+    AuthenticationMethods    publickey,keyboard-interactive:pam
+
+EOF
+  fi
 
   [[ "${user_root_authentication_2fa_tty}" == "true" ]] && pam_access_totp_enable "root" "login"
 
@@ -306,16 +315,26 @@ EOF
     fi
 
     ### 6) Update the 'root' 'totp'-policy and write the '.google_authenticator'-file.
-    [[ "${var_2fa_ssh}" == "true" || "${var_2fa_tty}" == "true" ]] && \
+    if [[ "${var_2fa_ssh}" == "true" || "${var_2fa_tty}" == "true" ]]; then
       write_google_authenticator_file "${var_username}"
+    fi
 
-    [[ "${var_2fa_ssh}" == "true" ]] && pam_access_totp_enable "${var_username}" "sshd"
+    if [[ "${var_2fa_ssh}" == "true" ]]; then
+      pam_access_totp_enable "${var_username}" "sshd"
+      var_ssh_totp_update="true"
+      cat << EOF >> "${TARGET}/etc/ssh/sshd_config"
+Match User ${var_username}
+    AuthenticationMethods    publickey,keyboard-interactive:pam
+
+EOF
+    fi
 
     [[ "${var_2fa_tty}" == "true" ]] && pam_access_totp_enable "${var_username}" "login"
 
     ### 7) Check sudo membership for user.
     if [[ "${var_sudo}" == "true" ]]; then
       chroot_exec "${TARGET}" usermod -aG sudo "${var_username}"
+      hardening_sudo "${var_username}"
     fi
 
     ### 8) Final status logging.
@@ -323,9 +342,14 @@ EOF
 
   done
 
+  if [[ "${var_ssh_totp_update}" == "true" ]]; then
+    sed -i -E "s|^[[:space:]]*KbdInteractiveAuthentication[[:space:]]+.*$|$(printf '%-29s%s' 'KbdInteractiveAuthentication' 'yes')|" "${TARGET}/etc/ssh/sshd_config"
+  fi
+
   unset VAR_TEMP_PLAIN_MFA_SEED
   printf "-: ALL:ALL \n" >> "${TARGET}/etc/security/access.conf"
   printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${TARGET}/etc/security/access.conf"
+  printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${TARGET}/etc/ssh/sshd_conf"
 
   guard_dir && return 0
 }
@@ -367,6 +391,89 @@ generate_totp_secret() {
   return 0
 }
 
+#######################################
+# Hardening sudo users.
+# Globals:
+#   TARGET
+# Arguments:
+#   1: <username>
+# Returns:
+#   0: on success
+#   ERR_VERIFY_LOGROTATE: on failure
+#   ERR_VERIFY_VISUDO: on failure
+#######################################
+hardening_sudo() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare     var_user="$1"
+  declare -r  var_logfile="/root/.ciss/cdi/log/4520_accounts_setup.log"
+
+  ### Create sudo log directory.
+  mkdir -p "${TARGET}/var/log/sudo-io"
+  find "${TARGET}/var/log/sudo-io" -type d -exec chmod 0700 {} \;
+
+  ### Create sudoers logfile directive.
+  cat << EOF >> "${TARGET}/etc/sudoers"
+
+##### Added by CISS.debian.installer
+Defaults log_host, log_year, log_input, log_exit_status, log_subcmds, logfile="/var/log/sudo.log", iolog_dir="/var/log/sudo-io"
+EOF
+
+  ### Create sudoers user directive.
+  touch "${TARGET}/etc/sudoers.d/user_${var_user}"
+  cat << EOF >> "${TARGET}/etc/sudoers.d/user_${var_user}"
+${var_user} ALL=NOPASSWD: ALL
+EOF
+
+  ### Set '/etc/sudoers.d' file permissions to 0440.
+  find "${TARGET}/etc/sudoers.d" -type f -exec chmod 0440 {} \;
+
+  ### Verify written '/etc/sudoers.d' configuration.
+  if ! chroot_script "${TARGET}" "export EDITOR=/usr/bin/nano /usr/sbin/visudo -q -c >> ${var_logfile}"; then
+
+    do_log "warn" "file_only" "Command: [chroot_script ${TARGET} export EDITOR=/usr/bin/nano /usr/sbin/visudo -q -c] failed."
+
+    return "${ERR_VERIFY_VISUDO}"
+
+  else
+
+    do_log "info" "file_only" "Command: [chroot_script ${TARGET} export EDITOR=/usr/bin/nano /usr/sbin/visudo -q -c] successful."
+
+  fi
+
+  ### Create sudo log rotation directive.
+  insert_header   "${TARGET}/etc/logrotate.d/sudo"
+  insert_comments "${TARGET}/etc/logrotate.d/sudo"
+  cat << EOF >>   "${TARGET}/etc/logrotate.d/sudo"
+/var/log/sudo.log {
+    daily
+    rotate 90
+    compress
+    missingok
+    notifempty
+    create 600 root root
+    sharedscripts
+    postrotate
+        /usr/bin/systemctl reload sudo.service > /dev/null 2>&1 || true
+    endscript
+}
+EOF
+
+  ### Verify written sudo log rotation configuration.
+  if ! chroot_script "${TARGET}" "logrotate -d /etc/logrotate.conf >> ${var_logfile}"; then
+
+    do_log "warn" "file_only" "Command: [chroot_script ${TARGET} logrotate -d /etc/logrotate.conf] failed."
+
+    return "${ERR_VERIFY_LOGROTATE}"
+
+  else
+
+    do_log "info" "file_only" "Command: [chroot_script ${TARGET} logrotate -d /etc/logrotate.conf] successful."
+
+  fi
+
+  return 0
+}
+
 #######################################
 # Ensure the 'pam_access' line is not activated in '/etc/pam.d/login' and '/etc/pam.d/sshd' in parallel.
 # Globals:

includes/target/etc/ssh/sshd_config

@@ -129,5 +129,3 @@ HostbasedAuthentication      no
 # PermitTTY                  yes
 # PermitUserEnvironment      no
 # IgnoreUserKnownHosts       no
-
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

var/errors.var.sh

@@ -55,6 +55,8 @@ declare -girx ERR_VAR_REGEX_CHK=218     # Error checking VAR against REGEX.
 declare -girx ERR_CONF_VALIDATION=217   # Error checking the respective configuration files.
 declare -girx ERR_CHROOT_LOGGER=216     # An error occurred while preparing the inside chroot log file.
 declare -girx ERR_READ_SEED_FILE=215    # Error reading the mfa TOTP seed file.
+declare -girx ERR_VERIFY_VISUDO=214     # Error verification by 'visudo'.
+declare -girx ERR_VERIFY_LOGROTATE=213  # Error verification by 'logrotate'.
 
 ### Definition of error trap vars.
 declare -gx ERRCODE=""                  # = $?                   = $1 = ERRCODE