msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: msw:c501b8de5a669bad500fd8cdba1d0fab6c2cc59e7fdeb8836db8b55c9da662a3
Branches Tags
msw:master
...
compare: msw:d8c4bc665ab840f52ff7b4060466105fec805a22f2abc096dd6b5d2ce63c05bd
Branches Tags
msw:master

2 Commits
c501b8de5a ... d8c4bc665a

Author SHA256 Message Date
Marc S. Weidner
d8c4bc665a V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m47s
Details 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-10-22 23:04:12 +01:00
Marc S. Weidner
bd614c17c9 V8.00.000.2025.06.17 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-10-22 22:39:10 +01:00
4 changed files with 70 additions and 19 deletions
Expand all files Collapse all files

5
func/cdi_4200_boot/4230_installation_grub.sh
View File

@@ -266,7 +266,6 @@ readonly -f install_grub_bios
# Globals: # Globals:
# TARGET # TARGET
# VAR_MODINFO_PATH # VAR_MODINFO_PATH
# grub_bootdev
# grub_update_nvram # grub_update_nvram
# var_update_grub_required # var_update_grub_required
# Arguments: # Arguments:
@@ -300,8 +299,8 @@ install_grub_uefi() {
[[ "${grub_update_nvram}" == "false" ]] && ary_uefi_arg+=( --no-nvram ) [[ "${grub_update_nvram}" == "false" ]] && ary_uefi_arg+=( --no-nvram )
chroot_exec "${TARGET}" grub-install "${ary_uefi_arg[@]}" "${grub_bootdev}" || return "${ERR_GRUB_INSTALL}" chroot_exec "${TARGET}" grub-install "${ary_uefi_arg[@]}" || return "${ERR_GRUB_INSTALL}"
do_log "info" "file_only" "4230() Installed: GRUB on Device: '${grub_bootdev}' [UEFI]." do_log "info" "file_only" "4230() Installed: GRUB on [ESP]."
var_update_grub_required="true" var_update_grub_required="true"
return 0 return 0

72
func/cdi_4500_user/4520_accounts_setup.sh
View File

@@ -62,6 +62,7 @@ accounts_setup() {
write_pam_login "${var_target}" write_pam_login "${var_target}"
write_pam_sshd "${var_target}" write_pam_sshd "${var_target}"
write_pam_su "${var_target}" write_pam_su "${var_target}"
write_pam_su-l "${var_target}"
write_pam_sudo "${var_target}" write_pam_sudo "${var_target}"
write_pam_sudo-i "${var_target}" write_pam_sudo-i "${var_target}"
@@ -95,9 +96,19 @@ accounts_setup() {
;; ;;
true) true)
### SSH Public Key per default, only. if [[ "${user_root_authentication_2fa_ssh}" == "true" || "${user_root_authentication_2fa_tty}" == "true" ]]; then
sed -i -E "s|^[[:space:]]*PermitRootLogin[[:space:]]+.*$|$(printf '%-29s%s' 'PermitRootLogin' 'prohibit-password')|" "${var_target}/etc/ssh/sshd_config"
do_log "info" "file_only" "4520() User: 'root' SSH access: [PermitRootLogin prohibit-password]" ### SSH Public Key per default, only.
sed -i -E "s|^[[:space:]]*PermitRootLogin[[:space:]]+.*$|$(printf '%-29s%s' 'PermitRootLogin' 'yes')|" "${var_target}/etc/ssh/sshd_config"
do_log "info" "file_only" "4520() User: 'root' SSH access: [PermitRootLogin yes]"
else
### SSH Public Key per default, only.
sed -i -E "s|^[[:space:]]*PermitRootLogin[[:space:]]+.*$|$(printf '%-29s%s' 'PermitRootLogin' 'prohibit-password')|" "${var_target}/etc/ssh/sshd_config"
do_log "info" "file_only" "4520() User: 'root' SSH access: [PermitRootLogin prohibit-password]"
fi
;; ;;
*) *)
@@ -895,12 +906,12 @@ write_google_authenticator_file() {
printf '%s\n' "${var_secret}" printf '%s\n' "${var_secret}"
printf '" RATE_LIMIT 3 30\n' printf '" RATE_LIMIT 3 30\n'
printf '" WINDOW_SIZE 10\n' printf '" WINDOW_SIZE 04\n'
printf '" DISALLOW_REUSE\n' printf '" DISALLOW_REUSE\n'
printf '" TOTP_AUTH\n' printf '" TOTP_AUTH\n'
### Emergency Codes (8x unbiased 8-digit, CSPRNG via OpenSSL). ### Emergency Codes (10x unbiased 8-digit, CSPRNG via OpenSSL).
for i in {1..8}; do for i in {1..10}; do
### Draw 32 bits; rejection sampling to avoid modulo bias. ### Draw 32 bits; rejection sampling to avoid modulo bias.
while :; do while :; do
@@ -1333,8 +1344,10 @@ auth required pam_google_authenticator.so
# ===== CISS 2FA block end ===== # ===== CISS 2FA block end =====
@include common-account @include common-account
@include common-session session required pam_env.so
session required pam_env.so envfile=/etc/default/locale
@include common-session
# Sets up user limits according to /etc/security/limits.conf. (Replaces the use of /etc/limits in old login). # Sets up user limits according to /etc/security/limits.conf. (Replaces the use of /etc/limits in old login).
session required pam_limits.so session required pam_limits.so
@@ -1356,6 +1369,45 @@ EOF
# shellcheck disable=SC2034 # shellcheck disable=SC2034
readonly -f write_pam_su readonly -f write_pam_su
#######################################
# Writes CISS Header for '/etc/pam.d/su-l'.
# Globals:
# None
# Arguments:
# 1: TARGET
# Returns:
# 0: on success
#######################################
write_pam_su-l() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_target="$1"
mv "${var_target}/etc/pam.d/su-l" "${var_target}/root/.ciss/cdi/backup/etc/pam.d/su-l"
cat << EOF >| "${var_target}/etc/pam.d/su-l"
#%PAM-1.0
# su-l: login-shell semantics; reuse 'su' stacks.
# Reuse exactly the 'su' stacks (incl. CISS 2FA in auth):
auth include su
account include su
password include su
# Login-shell extra, then reuse 'su' session (which already has pam_env):
session optional pam_keyinit.so force revoke
session include su
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
do_log "info" "file_only" "4520() Written: [/etc/pam.d/su-l]."
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f write_pam_su-l
####################################### #######################################
# Writes CISS Header for '/etc/pam.d/sudo'. # Writes CISS Header for '/etc/pam.d/sudo'.
# Globals: # Globals:
@@ -1441,8 +1493,8 @@ auth required pam_google_authenticator.so
# Accounts, sessions: # Accounts, sessions:
@include common-account @include common-account
@include common-session @include common-session
# Sets up user limits according to /etc/security/limits.conf. (Replaces the use of /etc/limits in old login). # Sets up user limits according to /etc/security/limits.conf. (Replaces the use of /etc/limits in old login).
session required pam_limits.so session required pam_limits.so

10
func/cdi_4600_packages/4600_installation_packages.sh
View File

@@ -32,8 +32,8 @@ installation_packages() {
chroot_script "${TARGET}" " chroot_script "${TARGET}" "
export INITRD=No export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get update -qq 2>&1 | tee -a ${var_logfile} apt-get update -qq 2>&1 | tee -a ${var_logfile}
apt-get upgrade -y 2>&1 | tee -a ${var_logfile} apt-get -y dist-upgrade 2>&1 | tee -a ${var_logfile} # (= apt full-upgrade) allow installs/replacements/removals.
" "
fi fi
@@ -46,9 +46,9 @@ installation_packages() {
chroot_script "${TARGET}" " chroot_script "${TARGET}" "
export INITRD=No export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get autoclean -y 2>&1 | tee -a ${var_logfile} apt-get autoremove --purge -y 2>&1 | tee -a ${var_logfile} # 'autopurge' == 'autoremove --purge'; don't run both.
apt-get autopurge -y 2>&1 | tee -a ${var_logfile} apt-get clean -y 2>&1 | tee -a ${var_logfile} # Stronger than autoclean: removes the entire '.deb'-cache.
apt-get autoremove -y 2>&1 | tee -a ${var_logfile} rm -rf /var/lib/apt/lists/* -y 2>&1 | tee -a ${var_logfile} # Will be repopulate on next 'apt update'.
" "
guard_dir && return 0 guard_dir && return 0

2
func/cdi_4600_packages/4620_installation_verification.sh
View File

@@ -15,7 +15,7 @@ guard_sourcing
### https://github.com/linux-audit/audit-userspace/tree/master/rules ### https://github.com/linux-audit/audit-userspace/tree/master/rules
####################################### #######################################
# Installs 'aide', 'audit', and 'debsums' audit and logging packages. # Installs 'acct', 'aide', 'audit', and 'debsums' audit and logging packages.
# Finalizes 'rkhunter' baseline. # Finalizes 'rkhunter' baseline.
# Globals: # Globals:
# TARGET # TARGET