V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_4500_user/4510_accounts_hardening.sh

@@ -26,7 +26,6 @@ accounts_hardening() {
   ### Declare Arrays, HashMaps, and Variables.
   declare -a  ary_security_pkgs=()
   declare -r  var_logfile="/root/.ciss/cdi/log/4510_accounts_hardening.log"
-  declare     t=""
 
   chroot_logger "${TARGET}${var_logfile}"
 
@@ -44,13 +43,22 @@ accounts_hardening() {
   chmod 0640 "${TARGET}/etc/ciss/2fa.users"
 
   ### Keep 'tty1' active, disable the rest.
-  chroot_script "${TARGET}" "
+  # shellcheck disable=SC2016
+  chroot_script "${TARGET}" '
     systemctl unmask getty@tty1.service
     systemctl enable getty@tty1.service
     for t in tty2 tty3 tty4 tty5 tty6; do
       systemctl mask getty@${t}.service
     done
     systemctl mask serial-getty@.service
+  '
+
+  chroot_script "${TARGET}" "
+    if [[ ! -f /etc/securetty ]]; then
+      touch /etc/securetty
+      chmod 0600 /etc/securetty
+      chown root:root /etc/securetty
+    fi
   "
 
   ### Hardening file permissions.
@@ -58,7 +66,7 @@ accounts_hardening() {
   chown root:shadow "${TARGET}/etc/shadow" "${TARGET}/etc/gshadow"
   chmod 0644 "${TARGET}/etc/passwd" "${TARGET}/etc/group"
   chmod 0640 "${TARGET}/etc/shadow" "${TARGET}/etc/gshadow"
-  chmod 0600 "${TARGET}/etc/securetty" "${TARGET}/etc/security/access.conf"
+  chmod 0600 "${TARGET}/etc/security/access.conf"
 
   ### Hardening '/etc/login.defs'.
   mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc"