V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-22 23:04:12 +01:00 · 2025-10-22 22:39:10 +01:00
4 changed files with 70 additions and 19 deletions
--- a/func/cdi_4200_boot/4230_installation_grub.sh
+++ b/func/cdi_4200_boot/4230_installation_grub.sh
@@ -266,7 +266,6 @@ readonly -f install_grub_bios
 # Globals:
 #   TARGET
 #   VAR_MODINFO_PATH
-#   grub_bootdev
 #   grub_update_nvram
 #   var_update_grub_required
 # Arguments:
@@ -300,8 +299,8 @@ install_grub_uefi() {

  [[ "${grub_update_nvram}" == "false" ]] && ary_uefi_arg+=( --no-nvram )

-  chroot_exec "${TARGET}" grub-install "${ary_uefi_arg[@]}" "${grub_bootdev}" || return "${ERR_GRUB_INSTALL}"
-  do_log "info" "file_only" "4230() Installed: GRUB on Device: '${grub_bootdev}' [UEFI]."
+  chroot_exec "${TARGET}" grub-install "${ary_uefi_arg[@]}" || return "${ERR_GRUB_INSTALL}"
+  do_log "info" "file_only" "4230() Installed: GRUB on [ESP]."
  var_update_grub_required="true"

  return 0
--- a/func/cdi_4500_user/4520_accounts_setup.sh
+++ b/func/cdi_4500_user/4520_accounts_setup.sh
@@ -62,6 +62,7 @@ accounts_setup() {
  write_pam_login       "${var_target}"
  write_pam_sshd        "${var_target}"
  write_pam_su          "${var_target}"
+  write_pam_su-l        "${var_target}"
  write_pam_sudo        "${var_target}"
  write_pam_sudo-i      "${var_target}"

@@ -95,9 +96,19 @@ accounts_setup() {
      ;;

    true)
-      ### SSH Public Key per default, only.
-      sed -i -E "s|^[[:space:]]*PermitRootLogin[[:space:]]+.*$|$(printf '%-29s%s' 'PermitRootLogin' 'prohibit-password')|" "${var_target}/etc/ssh/sshd_config"
-      do_log "info" "file_only" "4520() User: 'root' SSH access: [PermitRootLogin prohibit-password]"
+      if [[ "${user_root_authentication_2fa_ssh}" == "true" || "${user_root_authentication_2fa_tty}" == "true" ]]; then
+
+        ### SSH Public Key per default, only.
+        sed -i -E "s|^[[:space:]]*PermitRootLogin[[:space:]]+.*$|$(printf '%-29s%s' 'PermitRootLogin' 'yes')|" "${var_target}/etc/ssh/sshd_config"
+        do_log "info" "file_only" "4520() User: 'root' SSH access: [PermitRootLogin yes]"
+
+      else
+
+        ### SSH Public Key per default, only.
+        sed -i -E "s|^[[:space:]]*PermitRootLogin[[:space:]]+.*$|$(printf '%-29s%s' 'PermitRootLogin' 'prohibit-password')|" "${var_target}/etc/ssh/sshd_config"
+        do_log "info" "file_only" "4520() User: 'root' SSH access: [PermitRootLogin prohibit-password]"
+
+      fi
      ;;

    *)
@@ -895,12 +906,12 @@ write_google_authenticator_file() {

    printf '%s\n' "${var_secret}"
    printf '" RATE_LIMIT 3 30\n'
-    printf '" WINDOW_SIZE 10\n'
+    printf '" WINDOW_SIZE 04\n'
    printf '" DISALLOW_REUSE\n'
    printf '" TOTP_AUTH\n'

-    ### Emergency Codes (8x unbiased 8-digit, CSPRNG via OpenSSL).
-    for i in {1..8}; do
+    ### Emergency Codes (10x unbiased 8-digit, CSPRNG via OpenSSL).
+    for i in {1..10}; do

      ### Draw 32 bits; rejection sampling to avoid modulo bias.
      while :; do
@@ -1333,8 +1344,10 @@ auth     required   pam_google_authenticator.so
 # ===== CISS 2FA block end =====


-@include common-account
-@include common-session
+@include            common-account
+session  required   pam_env.so
+session  required   pam_env.so envfile=/etc/default/locale
+@include            common-session

 # Sets up user limits according to /etc/security/limits.conf. (Replaces the use of /etc/limits in old login).
 session  required   pam_limits.so
@@ -1356,6 +1369,45 @@ EOF
 # shellcheck disable=SC2034
 readonly -f write_pam_su

+#######################################
+# Writes CISS Header for '/etc/pam.d/su-l'.
+# Globals:
+#   None
+# Arguments:
+#   1: TARGET
+# Returns:
+#   0: on success
+#######################################
+write_pam_su-l() {
+  ### Declare Arrays, HashMaps, and Variables.
+  declare -r  var_target="$1"
+
+  mv "${var_target}/etc/pam.d/su-l" "${var_target}/root/.ciss/cdi/backup/etc/pam.d/su-l"
+
+  cat << EOF >|   "${var_target}/etc/pam.d/su-l"
+#%PAM-1.0
+# su-l: login-shell semantics; reuse 'su' stacks.
+
+# Reuse exactly the 'su' stacks (incl. CISS 2FA in auth):
+auth     include    su
+account  include    su
+password include    su
+
+# Login-shell extra, then reuse 'su' session (which already has pam_env):
+session  optional   pam_keyinit.so force revoke
+session  include    su
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+  do_log "info" "file_only" "4520() Written: [/etc/pam.d/su-l]."
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f write_pam_su-l
+
 #######################################
 # Writes CISS Header for '/etc/pam.d/sudo'.
 # Globals:
@@ -1441,8 +1493,8 @@ auth     required   pam_google_authenticator.so


 # Accounts, sessions:
-@include common-account
-@include common-session
+@include            common-account
+@include            common-session

 # Sets up user limits according to /etc/security/limits.conf. (Replaces the use of /etc/limits in old login).
 session  required   pam_limits.so
--- a/func/cdi_4600_packages/4600_installation_packages.sh
+++ b/func/cdi_4600_packages/4600_installation_packages.sh
@@ -32,8 +32,8 @@ installation_packages() {
    chroot_script "${TARGET}" "
      export INITRD=No
      [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-      apt-get update  -qq 2>&1 | tee -a ${var_logfile}
-      apt-get upgrade -y  2>&1 | tee -a ${var_logfile}
+      apt-get update -qq      2>&1 | tee -a ${var_logfile}
+      apt-get -y dist-upgrade 2>&1 | tee -a ${var_logfile}       # (= apt full-upgrade) allow installs/replacements/removals.
    "
  fi

@@ -46,9 +46,9 @@ installation_packages() {
  chroot_script "${TARGET}" "
    export INITRD=No
    [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
-    apt-get autoclean  -y 2>&1 | tee -a ${var_logfile}
-    apt-get autopurge  -y 2>&1 | tee -a ${var_logfile}
-    apt-get autoremove -y 2>&1 | tee -a ${var_logfile}
+    apt-get autoremove --purge  -y 2>&1 | tee -a ${var_logfile}  # 'autopurge' == 'autoremove --purge'; don't run both.
+    apt-get clean               -y 2>&1 | tee -a ${var_logfile}  # Stronger than autoclean: removes the entire '.deb'-cache.
+    rm -rf /var/lib/apt/lists/* -y 2>&1 | tee -a ${var_logfile}  # Will be repopulate on next 'apt update'.
  "

  guard_dir && return 0
--- a/func/cdi_4600_packages/4620_installation_verification.sh
+++ b/func/cdi_4600_packages/4620_installation_verification.sh
@@ -15,7 +15,7 @@ guard_sourcing
 ### https://github.com/linux-audit/audit-userspace/tree/master/rules

 #######################################
-# Installs 'aide', 'audit', and 'debsums' audit and logging packages.
+# Installs 'acct', 'aide', 'audit', and 'debsums' audit and logging packages.
 # Finalizes 'rkhunter' baseline.
 # Globals:
 #   TARGET
Author	SHA256	Message	Date
Marc S. Weidner	d8c4bc665a	V8.00.000.2025.06.17 All checks were successful 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m47s Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2025-10-22 23:04:12 +01:00
Marc S. Weidner	bd614c17c9	V8.00.000.2025.06.17 Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2025-10-22 22:39:10 +01:00