msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: msw:62b29b310a5ff954ca0fd522e036175090b5ab02b08595bbef8692c51d8a5f27
Branches Tags
msw:master
..
compare: msw:44a1f50bc9cc56cfc35db49c1af7e851986d3589da9400b59b10a1f0d01f513f
Branches Tags
msw:master

2 Commits
62b29b310a ... 44a1f50bc9

Author SHA256 Message Date
Marc S. Weidner
44a1f50bc9 Merge remote-tracking branch 'origin/master'
Some checks failed
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Failing after 5s
Details
2025-09-25 20:18:50 +01:00
Marc S. Weidner
577827dc7a V8.00.000.2025.06.17 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-09-25 20:14:53 +01:00
17 changed files with 712 additions and 83 deletions
Expand all files Collapse all files

105
.preseed/preseed.yaml
View File

@@ -96,15 +96,15 @@ firmware:
lookup: "missing" # - "never" Completely disables the firmware search.
# - "missing" Searches only when the firmware is needed. (default)
# - "always" Always searches and asks for any firmware that could be useful for the hardware.
image: "linux-image-6.12.41+deb13-amd64"
image: "linux-image-6.16.3+deb13-amd64"
# Could be a meta-package or a specific image like:
# "linux-image-amd64" || "linux-image-arm64"
# "linux-image-cloud-amd64" || "linux-image-cloud-arm64"
# "linux-image-rt-amd64" || "linux-image-rt-arm64"
# "linux-image-6.12.30+bpo-amd64"
# "linux-image-6.12.38+deb13-amd64"
# "linux-image-6.16.3+deb13-amd64"
needrun: false # Static linking to "${TARGET}/run" can cause problems if this data is "burned" into the target.
provider: "netcup" # MUST be one of "contabo", "hetzner", "netcup" or leave empty.
security_ext: "selinux" # MUST be one of "apparmor" or "selinux".
################################################################################################################################
# Dropbear settings
@@ -133,7 +133,7 @@ grub_parameter:
# default -1 = authorized (same as 1)
# 0 = not authorized, 1 = authorized, 2 = authorized if a device connected to an internal port.
##############################################################################################################################
- usbcore.authorized_default=0
- "usbcore.authorized_default=0"
##############################################################################################################################
# Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go
@@ -691,11 +691,13 @@ software:
# ssh
#
##############################################################################################################################
### Installed by 4480_hardening_usb.sh
##############################################################################################################################
# usbguard
#
##############################################################################################################################
### Installed by 4490_hardening_virus.sh
##############################################################################################################################
# chkrootkit
# clamav
# clamav-daemon
# rkhunter
#
##############################################################################################################################
@@ -714,69 +716,74 @@ software:
# wngerman
#
##############################################################################################################################
# core software
# Installed by 4600_installation_packages.sh
##############################################################################################################################
- apt-utils
- bat
- debconf
- debconf-utils
- dialog
- knot-dnssecutils
- knot-dnsutils
- locate
- rsyslog
- screen
- spectre-meltdown-checker
- sysstat
##############################################################################################################################
# documentation
##############################################################################################################################
- debian-kernel-handbook
- linux-doc-6.12
- man-db
##############################################################################################################################
# encryption
##############################################################################################################################
- pollinate
##############################################################################################################################
# files
##############################################################################################################################
- rsnapshot
- rsync
- zip
##############################################################################################################################
# network
##############################################################################################################################
- borgbackup
- borgbackup-doc
- dhcpdump
- dhcping
- dialog
- expect
- htop
- iftop
- locate
- man-db
- manpages
- manpages-dev
- mdadm
- mtr
- ncat
- net-tools
- nmap
- tshark
- rsnapshot
- rsync
- sysstat
- unzip
- zip
##############################################################################################################################
# partitioning
# diagnostics
##############################################################################################################################
- mdadm
#- knot-dnssecutils
#- knot-dnsutils
#- nmap
#- spectre-meltdown-checker
#- tshark
##############################################################################################################################
# sw dev
##############################################################################################################################
#- apt-utils
#- build-essential
#- clang
#- debconf
#- debconf-utils
#- debootstrap
#- linux-source
#- lld
#- shellcheck
#- ssl-cert
##############################################################################################################################
# tools
# Installed by 4610_installation_security.sh
##############################################################################################################################
- expect
- figlet
- htop
- keychain
- virt-what
# apparmor
# apparmor-profiles
# apparmor-profiles-extra
# apparmor-utils
# selinux-basics
# selinux-policy-default
# selinux-utils
# setools
# semodule-utils
# sepol-utils
# policycoreutils
# policycoreutils-python-utils
# checkpolicy
# python3-setools
##############################################################################################################################
# Installed by 4620_installation_verification.sh
##############################################################################################################################
# aide
# aide-common
# audit
# debsums
################################################################################################################################
# Time settings

11
ciss_debian_installer.sh
View File

@@ -12,12 +12,10 @@
### Contributions so far see ./docs/CREDITS.md
# TODO: Implement this function 4215_check_crypttab.sh
# TODO: Update .dot files.
# TODO: Update README.md for each lib and func dir.
# TODO: Update MANPAGE.md for each func.
# TODO: Implement Clang Build Chain and Secure Boot PK CISS.ROOT.CA Signing Workflow
# TODO: Check Packages for installation. Refactor preseed.yaml, 4130_installation_toolset.sh, 4700_setup_packages.sh
# TODO: Hardening Scripts Integration
# TODO: Recovery Partition Integration
# TODO: Grub Boot Menu Update for Recovery Integration
@@ -333,6 +331,8 @@ info_echo "4470_hardening_ufw.sh"
hardening_ufw
info_echo "4480_hardening_usb.sh"
hardening_usb
info_echo "4490_hardening_virus.sh"
hardening_virus
### CDI_4500
info_echo "4500_accounts_preparation.sh"
@@ -343,7 +343,12 @@ info_echo "4520_accounts_setup.sh"
accounts_setup
### CDI_4600
#info_echo "4205_check_fstab.sh"
info_echo "4600_installation_packages.sh"
installation_packages
info_echo "4610_installation_security.sh"
installation_security
info_echo "4620_installation_verification.sh"
install_verification
#info_echo "4610_finalize_system.sh"

10
func/cdi_1250_yaml/1251_yaml_reader.sh
View File

@@ -43,7 +43,7 @@ yaml_reader() {
declare -gx VAR_RECIPE_STRING="" VAR_RECIPE_HIGHEST_DEVICE="" VAR_ARCHITECTURE="" VAR_RECIPE_FIRMWARE="" VAR_NUKE="" \
VAR_RECIPE_TABLE="" VAR_NEED_RUN_IN_TARGET="false" VAR_CODENAME="" VAR_DROPBEAR="" VAR_RECOVERY="" \
VAR_GRUB_PASSWORD="false" VAR_SSH_PORT="22" VAR_DEB822="true" VAR_PROVIDER="" VAR_SSH_CA="" VAR_UFW_OUT="deny" \
VAR_CHROOT_DEBUG="false"
VAR_CHROOT_DEBUG="false" VAR_SEC_FW="selinux" VAR_APT_FULL_UPGRADE="true"
### Declare and substitute input files.
declare -r var_if="${VAR_PRESEED}"
declare var_line="" var_middle_part="" var_highest_dev="" var_device="" var_fields="" var_partition="" \
@@ -143,6 +143,10 @@ END { print max }
# shellcheck disable=SC2034
VAR_DEB822="${apt_default_deb822,,}"
### Extract Upgrade Policy.
# shellcheck disable=SC2034
VAR_APT_FULL_UPGRADE="${apt_full_upgrade,,}"
### Extract architecture.
# shellcheck disable=SC2034
VAR_ARCHITECTURE="${architecture,,}"
@@ -220,6 +224,10 @@ END { print max }
# shellcheck disable=SC2034
VAR_RECOVERY="${!recipe_recovery_var,,}"
### Extract security extensions.
# shellcheck disable=SC2034
VAR_SEC_FW="${security_ext,,}"
### Extract ufw outgoing policy.
# shellcheck disable=SC2034
VAR_UFW_OUT="${security_ufw_out,,}"

31
func/cdi_4100_base/4121_installation_initramfs.sh
View File

@@ -28,7 +28,14 @@ guard_sourcing
#######################################
installation_initramfs() {
### Declare Arrays, HashMaps, and Variables.
declare var_modules=""
declare var_modules="" var_whereiam=""
# shellcheck disable=SC2312
if [[ -x "$(command -v virt-what)" ]]; then
var_whereiam=$(virt-what | head -n1)
else
var_whereiam=$(grep -iE 'kvm|vmware|qemu' /sys/class/dmi/id/product_name 2>/dev/null || echo "baremetal")
fi
mkdir -p "${TARGET}/etc/initramfs-tools/files"
@@ -41,13 +48,29 @@ installation_initramfs() {
var_modules=$(grep_nic_driver_modules)
cat << EOF >> "${TARGET}/etc/initramfs-tools/modules"
### Custom NIC driver
### Custom NIC driver:
${var_modules}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
if [[ "${var_whereiam}" =~ ^(kvm|vmware|qemu)$ ]]; then
cat << EOF >> "${TARGET}/etc/initramfs-tools/modules"
### QEMU Bochs-compatible virtual machine support:
bochs
### Virtio support:
virtio_pci
virtio_blk
virtio_scsi
virtio_console
virtio_rng
EOF
fi
printf "%s\n" '# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf' >> "${TARGET}/etc/initramfs-tools/modules"
### MODULES: [ most | netboot | dep | list ]
## 'most' - Add most filesystem and all hard-drive drivers.
## 'dep' - Try and guess the modules to load.

13
func/cdi_4200_boot/4250_update_grub_bootparameter.sh
View File

@@ -10,7 +10,7 @@
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
### Options in "GRUB_CMDLINE_LINUX" are always effective.
### Options in "GRUB_CMDLINE_LINUX" are always effective, (incl. recovery).
### Options in "GRUB_CMDLINE_LINUX_DEFAULT" are effective ONLY during normal boot (NOT during recovery mode).
guard_sourcing
@@ -25,6 +25,7 @@ guard_sourcing
# VAR_DROPBEAR
# VAR_NUKE
# VAR_NUKE_HASH
# VAR_SEC_FW
# VV_GRUB_CMDLINE_LINUX
# VV_GRUB_CMDLINE_LINUX_DEFAULT
# Arguments:
@@ -55,6 +56,16 @@ update_grub_bootparameter() {
done
if [[ "${VAR_SEC_FW}" == "apparmor" ]]; then
VV_GRUB_CMDLINE_LINUX="${VV_GRUB_CMDLINE_LINUX} apparmor=1 security=apparmor lsm=lockdown,yama,integrity,apparmor,bpf"
elif [[ "${VAR_SEC_FW}" == "selinux" ]]; then
### We start in permissive mode first, so we don't pass 'enforcing=1' through the command line.
VV_GRUB_CMDLINE_LINUX="${VV_GRUB_CMDLINE_LINUX} selinux=1 security=selinux"
fi
if [[ "${VAR_DROPBEAR}" == "true" ]]; then
var_label="${HMP_PATH_ENCLABEL["/"]}"

38
func/cdi_4400_hardening/4490_hardening_virus.sh Normal file
View File

@@ -0,0 +1,38 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Installing anti-rootkit and antivirus packages.
# Globals:
# TARGET
# Arguments:
# None
# Returns:
# 0: on success
#######################################
hardening_virus() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_logfile="/root/.ciss/cdi/log/4490_hardening_virus.log"
chroot_logger "${TARGET}${var_logfile}"
chroot_script "${TARGET}" "
export INITRD=No
apt-get install -y --no-install-recommends --no-install-suggests rkhunter 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

48
func/cdi_4600_packages/4600_installation_packages.sh Normal file
View File

@@ -0,0 +1,48 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Installs the desired packages.
# Globals:
# ARY_PACKAGES
# TARGET
# Arguments:
# None
# Returns:
# 0: on success
#######################################
installation_packages() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_logfile="/root/.ciss/cdi/log/4600_installation_packages.log"
chroot_logger "${TARGET}${var_logfile}"
chroot_script "${TARGET}" "
export INITRD=No
apt-get install -y --no-install-recommends --no-install-suggests ${ARY_PACKAGES[*]} 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
if [[ "${VAR_APT_FULL_UPGRADE}" == "true" ]]; then
chroot_script "${TARGET}" "
export INITRD=No
apt-get update 2>&1 | tee -a ${var_logfile}
apt-get upgrade -y 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
fi
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

102
func/cdi_4600_packages/4610_installation_security.sh Normal file
View File

@@ -0,0 +1,102 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Installs the desired security extension framework.
# Globals:
# TARGET
# VAR_SEC_FW
# VAR_SSH_PORT
# Arguments:
# None
# Returns:
# 0: on success
#######################################
installation_security() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_logfile="/root/.ciss/cdi/log/4610_installation_security.log"
declare -ar ary_apparmor=( "apparmor" "apparmor-profiles" "apparmor-profiles-extra" "apparmor-utils" )
declare -ar ary_selinux=( "selinux-basics" "selinux-policy-default" "selinux-utils" "setools" "semodule-utils" "sepol-utils" \
"policycoreutils" "policycoreutils-python-utils" "checkpolicy" "python3-setools" )
declare -a ary_fw=("${ary_selinux[@]}")
chroot_logger "${TARGET}${var_logfile}"
[[ "${VAR_SEC_FW}" == "apparmor" ]] && ary_fw=("${ary_apparmor[@]}")
[[ "${VAR_SEC_FW}" == "selinux" ]] && ary_fw=("${ary_selinux[@]}")
chroot_script "${TARGET}" "
export INITRD=No
apt-get install -y --no-install-recommends --no-install-suggests ${ary_fw[*]} 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
if [[ ${VAR_SEC_FW} == apparmor ]]; then
systemctl enable apparmor 2>&1 | tee -a ${var_logfile} || true
fi
"
if [[ "${VAR_SEC_FW}" == "selinux" ]]; then
mkdir -p "${TARGET}/etc/selinux" "${TARGET}/root/.ciss/cdi/backup/etc/selinux"
[[ -f "${TARGET}/etc/selinux/config" ]] && mv "${TARGET}/etc/selinux/config" "${TARGET}/root/.ciss/cdi/backup/etc/selinux"
insert_header "${TARGET}/etc/selinux/config"
insert_comments "${TARGET}/etc/selinux/config"
cat << 'EOF' >> "${TARGET}/etc/selinux/config"
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing : SELinux security policy is enforced.
# permissive: SELinux prints warnings instead of enforcing.
# disabled : SELinux policy is not loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
# default: equivalent to the old strict and targeted policies.
# mls : Multi-Level Security (for military and educational use).
# src : Custom policy built from source.
SELINUXTYPE=default
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0
EOF
### Trigger a full relabeling on the first boot of the target.
touch "${TARGET}/.autorelabel"
chroot_script "${TARGET}" "
semanage port -a -t ssh_port_t -p tcp ${VAR_SSH_PORT}
"
### Enable PAM SELinux modules in common-session configs
sed -i '/^session.*required.*pam_selinux\.so/d' "${TARGET}/etc/pam.d/common-session"
sed -i '/^session.*required.*pam_selinux\.so/d' "${TARGET}/etc/pam.d/common-session-noninteractive"
cat << 'EOF' >> "${TARGET}/etc/pam.d/common-session"
session required pam_selinux.so close
session required pam_selinux.so open
EOF
cat << 'EOF' >> "${TARGET}/etc/pam.d/common-session-noninteractive"
session required pam_selinux.so close
session required pam_selinux.so open
EOF
fi
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

376
func/cdi_4600_packages/4620_installation_verification.sh Normal file
View File

@@ -0,0 +1,376 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
### https://github.com/linux-audit/audit-userspace/tree/master/rules
#######################################
# Installs 'aide', 'audit', and 'debsums' audit and logging packages.
# Globals:
# TARGET
# VAR_SEC_FW
# Arguments:
# None
# Returns:
# 0: on success
#######################################
install_verification() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_logfile="/root/.ciss/cdi/log/4620_installation_verification.log"
chroot_logger "${TARGET}${var_logfile}"
chroot_script "${TARGET}" "
export INITRD=No
apt-get install -y --no-install-recommends --no-install-suggests auditd 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
rm -f "${TARGET}/etc/audit/rules.d/audit.rules"
############################################################### /etc/audit/rules.d/10-base-config.rules
cat << EOF >| "${TARGET}/etc/audit/rules.d/10-base-config.rules"
## First rule - delete all
-D
## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192
## This determine how long to wait in burst of events
--backlog_wait_time 60000
## Set failure mode to syslog
-f 1
EOF
############################################################### /etc/audit/rules.d/11-loginuid.rules
cat << EOF >| "${TARGET}/etc/audit/rules.d/11-loginuid.rules"
--loginuid-immutable
EOF
############################################################### /etc/audit/rules.d/20-dont-audit.rules
cat << EOF >| "${TARGET}/etc/audit/rules.d/20-dont-audit.rules"
## This is for don't audit rules. We put these early because audit
## is a first match wins system. Uncomment the rules you want.
## Cron jobs fill the logs with stuff we normally don't want
-a never,user
## This prevents chrony from overwhelming the logs
-a never,exit -F arch=b64 -S adjtimex -F exe=/usr/sbin/chronyd
-a never,exit -F arch=b32 -S adjtimex -F exe=/usr/sbin/chronyd
## Human-attributable time changes
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F auid>=1000 -F auid!=4294967295 -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -F auid>=1000 -F auid!=4294967295 -k time-change
### This is not very interesting and wastes a lot of space if
### the server is public facing
-a always,exclude -F msgtype=CRYPTO_KEY_USER
EOF
############################################################### /etc/audit/rules.d/21-no32bit.rules
cat << EOF >| "${TARGET}/etc/audit/rules.d/21-no32bit.rules"
## If you are on a 64 bit platform, everything _should_ be running
## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
## because this might be a sign of someone exploiting a hole in the 32
## bit ABI.
-a always,exit -F arch=b32 -S all -F key=32bit-abi
EOF
############################################################### /etc/audit/rules.d/22-ignore-chrony.rules
cat << EOF >| "${TARGET}/etc/audit/rules.d/22-ignore-chrony.rules"
## This rule suppresses the time-change event when chrony does time updates
-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=_chrony
-a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=_chrony
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-1-create-failed.rules"
## Unsuccessful file creation (open with O_CREAT)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-1-create-success.rules"
## Successful file creation (open with O_CREAT)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules"
## Unsuccessful file modifications (open for write or truncate)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-2-modify-success.rules"
## Successful file modifications (open for write or truncate)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-3-access-failed.rules"
## Unsuccessful file access (any other opens) This has to go last.
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-3-access-success.rules"
## Successful file access (any other opens) This has to go last.
## These next two are likely to result in a whole lot of events
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules"
## Unsuccessful file delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-4-delete-success.rules"
## Successful file delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules"
## Unsuccessful permission change
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules"
## Successful permission change
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules"
## Unsuccessful ownership change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules"
## Successful ownership change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
EOF
############################################################### /etc/audit/rules.d/30-ospp-v42.rules
cat << EOF >| "${TARGET}/etc/audit/rules.d/30-ospp-v42.rules"
## The purpose of these rules is to meet the requirements for Operating
## System Protection Profile (OSPP)v4.2. These rules depends on having
## the following rule files copied to /etc/audit/rules.d:
##
## 10-base-config.rules, 11-loginuid.rules,
## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules,
## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules,
## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules,
## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules,
## 30-ospp-v42-5-perm-change-failed.rules,
## 30-ospp-v42-5-perm-change-success.rules,
## 30-ospp-v42-6-owner-change-failed.rules,
## 30-ospp-v42-6-owner-change-success.rules
##
## original copies may be found in /usr/share/audit-rules
## User add delete modify. This is covered by pam. However, someone could
## open a file and directly create or modify a user, so we'll watch passwd and
## shadow for writes
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
## User enable and disable. This is entirely handled by pam.
## Group add delete modify. This is covered by pam. However, someone could
## open a file and directly create or modify a user, so we'll watch group and
## gshadow for writes
-a always,exit -F arch=b32 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
-a always,exit -F arch=b64 -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
-a always,exit -F arch=b32 -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
-a always,exit -F arch=b64 -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
## Use of special rights for config changes. This would be use of setuid
## programs that relate to user accts. This is not all setuid apps because
## requirements are only for ones that affect system configuration.
-a always,exit -F arch=b32 -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b32 -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
## Privilege escalation via su or sudo. This is entirely handled by pam.
## Special case for systemd-run. It is not audit aware, specifically watch it
-a always,exit -F arch=b32 -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation
-a always,exit -F arch=b64 -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation
## Special case for pkexec. It is not audit aware, specifically watch it
-a always,exit -F arch=b32 -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation
-a always,exit -F arch=b64 -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation
## Watch for configuration changes to privilege escalation.
-a always,exit -F arch=b32 -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
-a always,exit -F arch=b64 -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
-a always,exit -F arch=b32 -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes
-a always,exit -F arch=b64 -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes
## Audit log access
-a always,exit -F arch=b32 -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
-a always,exit -F arch=b64 -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
## Attempts to Alter Process and Session Initiation Information
-a always,exit -F arch=b32 -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F arch=b64 -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F arch=b32 -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F arch=b64 -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F arch=b32 -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F arch=b64 -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
## Attempts to modify MAC controls
-a always,exit -F arch=b32 -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
-a always,exit -F arch=b64 -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
## Application invocation. The requirements list an optional requirement
## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
## state results from that policy. This would be handled entirely by
## that daemon.
EOF
############################################################### /etc/audit/rules.d/99-finalize.rules
cat << EOF >| "${TARGET}/etc/audit/rules.d/99-finalize.rules"
-e 2
EOF
chroot_script "${TARGET}" "
systemctl enable auditd.service 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
### Validate and build audit rules now; fail early if syntax is wrong.
chroot_script "${TARGET}" "
if command -v augenrules >/dev/null 2>&1; then
augenrules --load 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
else
### Fallback: build consolidated rules file without loading into the kernel.
if command -v bash >/dev/null 2>&1; then
bash -lc 'cat /etc/audit/rules.d/*.rules > /etc/audit/audit.rules'
fi
fi
"
chroot_script "${TARGET}" "
export INITRD=No
apt-get install -y --no-install-recommends --no-install-suggests aide aide-common 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
sed -i 's/Checksums = H/Checksums = sha512/' /etc/aide/aide.conf
aideinit > /dev/null 2>> ${var_logfile}
"
chroot_script "${TARGET}" "
export INITRD=No
apt-get install -y --no-install-recommends --no-install-suggests debsums 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
if ! debsums -g >> ${var_logfile} 2>> ${var_logfile}; then
printf 'Running debsums -g - encountered errors.' >> ${var_logfile}
fi
"
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

0
func/cdi_4600_verification/4610_finalize_system.sh → func/cdi_4700_verification/4610_finalize_system.sh
View File

0
func/cdi_4600_verification/4670_verify_system.sh → func/cdi_4700_verification/4670_verify_system.sh
View File

0
func/cdi_4600_verification/4680_check_sshd_config_integrity.sh → func/cdi_4700_verification/4680_check_sshd_config_integrity.sh
View File

0
func/cdi_4600_verification/4690_check_grub_cmdline.sh → func/cdi_4700_verification/4690_check_grub_cmdline.sh
View File

0
func/cdi_4600_verification/4699_check_usr_merge.sh → func/cdi_4700_verification/4699_check_usr_merge.sh
View File

38
includes/target/etc/initramfs-tools/modules
View File

@@ -21,51 +21,57 @@
# raid1
# sd_mod
### QEMU Bochs-compatible virtual machine support
bochs
### Entropy source for '/dev/random':
jitterentropy_rng
### Device-mapper core module (required for all dm_* features)
### Device-mapper core module (required for all dm_* features):
dm_mod
### Device-mapper integrity target (provides integrity checking)
### Device-mapper integrity target (provides integrity checking):
dm_integrity
### Device-mapper crypt target (provides disk encryption)
### Device-mapper crypt target (provides disk encryption):
dm_crypt
### Generic AES block cipher implementation (used by dm-crypt)
### Crypto primitives for LUKS2 / AES-XTS:
aes_x86_64
xts
serpent_generic
twofish_generic
### Generic AES block cipher implementation (used by dm-crypt):
aes_generic
### Generic SHA-256 hashing algorithm (used by various crypto and integrity targets)
### Generic SHA-256 hashing algorithm (used by various crypto and integrity targets):
sha256_generic
### Generic SHA-384 hashing algorithm (used by various crypto and integrity targets)
### Generic SHA-384 hashing algorithm (used by various crypto and integrity targets):
sha384_generic
### Generic SHA-512 hashing algorithm (used by various crypto and integrity targets)
### Generic SHA-512 hashing algorithm (used by various crypto and integrity targets):
sha512_generic
### Generic CRC32C checksum implementation (used by btrfs and other filesystems)
### Generic CRC32C checksum implementation (used by btrfs and other filesystems):
crc32c_generic
crc32c_intel
### Main btrfs filesystem module
### Main btrfs filesystem module:
btrfs
### Ensure Btrfs root on LUKS works with zstd-compressed extents
### Ensure Btrfs root on LUKS works with zstd-compressed extents:
zstd
zstd_compress
xxhash
### XOR parity implementation for RAID functionality
### XOR parity implementation for RAID functionality:
xor
### RAID6 parity generation module
### RAID6 parity generation module:
raid6_pq
### Combined RAID4/5/6 support module
### Combined RAID4/5/6 support module:
raid456
### Ensure ESP support
### Ensure ESP support:
fat
vfat

7
meta_loader_func.sh
View File

@@ -94,13 +94,18 @@ source_guard "./func/cdi_4400_hardening/4450_hardening_memory.sh"
source_guard "./func/cdi_4400_hardening/4460_hardening_openssl.sh"
source_guard "./func/cdi_4400_hardening/4470_hardening_ufw.sh"
source_guard "./func/cdi_4400_hardening/4480_hardening_usb.sh"
source_guard "./func/cdi_4400_hardening/4490_hardening_virus.sh"
### cdi_4500_user
source_guard "./func/cdi_4500_user/4500_accounts_preparation.sh"
source_guard "./func/cdi_4500_user/4510_accounts_hardening.sh"
source_guard "./func/cdi_4500_user/4520_accounts_setup.sh"
### cdi_4600_verification
### cdi_4600_packages
source_guard "./func/cdi_4600_packages/4600_installation_packages.sh"
source_guard "./func/cdi_4600_packages/4610_installation_security.sh"
source_guard "./func/cdi_4600_packages/4620_installation_verification.sh"
#source_guard "./func/cdi_4600_verification/4610_finalize_system.sh"
#source_guard "./func/cdi_4600_verification/4670_verify_system.sh"
#source_guard "./func/cdi_4600_verification/4680_check_sshd_config_integrity.sh"