#!/bin/bash # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu guard_sourcing ####################################### # NOTE: # According to the manual pages of limits.conf(5) and pam_limits(8), # entries in '/etc/security/limits.conf' or drop-ins under # '/etc/security/limits.d/' are NOT applied automatically by the system. # The actual enforcement of these ulimit(2) constraints, including # '* soft core 0' and '* hard core 0' to disable kernel core dumps, # requires that the PAM module 'pam_limits.so' is invoked in the # 'session' stack of the respective service (e.g., via # '/etc/pam.d/common-session' and # '/etc/pam.d/common-session-noninteractive'). # # Without 'pam_limits.so' present in these PAM configuration files, # the configured limits remain ineffective for PAM-based logins # (SSH, local TTY, sudo, su, cron, etc.). # Services launched by systemd bypass PAM and must have 'LimitCORE=0' # or 'DefaultLimitCORE=0' set in their unit or in system.conf.d(5). # # References: # - man 5 limits.conf # - man 8 pam_limits ####################################### ####################################### # Hardening memory dump via: # '/etc/systemd/coredump.conf.d/disable.conf' # '/etc/security/limits.d/90-ciss-core.conf' # '/etc/systemd/system.conf.d/90-ciss-core.conf' # '/etc/pam.d/common-session' # '/etc/pam.d/common-session-noninteractive' # Globals: # TARGET # VAR_ARCHITECTURE # VAR_CODENAME # VAR_VERSION # Arguments: # None # Returns: # 0: on success ####################################### hardening_memory() { mkdir -p "${TARGET}/etc/systemd/coredump.conf.d" mkdir -p "${TARGET}/etc/systemd/system.conf.d" insert_header "${TARGET}/etc/security/limits.d/99-ciss-core.conf" insert_comments "${TARGET}/etc/security/limits.d/99-ciss-core.conf" cat << 'EOF' >> "${TARGET}/etc/security/limits.d/99-ciss-core.conf" # Enforce: no core dumps for all logins by default. # Format: * hard core 0 * soft core 0 root hard core 0 root soft core 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf EOF insert_header "${TARGET}/etc/systemd/coredump.conf.d/disable.conf" insert_comments "${TARGET}/etc/systemd/coredump.conf.d/disable.conf" cat << 'EOF' >> "${TARGET}/etc/systemd/coredump.conf.d/disable.conf" ### Do not store core images anywhere, keep the at most minimal metadata. [Coredump] Storage=none ProcessSizeMax=0 ExternalSizeMax=0 JournalSizeMax=0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf EOF [[ -f "${TARGET}/etc/systemd/system.conf.d/10-coredump-debian.conf" ]] && \ mv "${TARGET}/etc/systemd/system.conf.d/10-coredump-debian.conf" "${TARGET}/etc/systemd/system.conf.d/10-coredump-debian.conf.bak" insert_header "${TARGET}/etc/systemd/system.conf.d/99-ciss-core.conf" insert_comments "${TARGET}/etc/systemd/system.conf.d/99-ciss-core.conf" cat << 'EOF' >> "${TARGET}/etc/systemd/system.conf.d/99-ciss-core.conf" [Manager] DefaultLimitCORE=0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf EOF guard_pam_limits guard_dir && return 0 } ####################################### # Ensure 'pam_limits.so' is activated in: # '/etc/pam.d/common-session' # '/etc/pam.d/common-session-noninteractive' # Globals: # TARGET # Arguments: # None # Returns: # 0: on success ####################################### guard_pam_limits() { ### Declare Arrays, HashMaps, and Variables. declare var_file_0="${TARGET}/etc/pam.d/common-session" declare var_file_1="${TARGET}/etc/pam.d/common-session-noninteractive" declare var_line='session required pam_limits.so' var_file="" declare -i var_changed=0 for var_file in "${var_file_0}" "${var_file_1}"; do [[ -f "${var_file}" ]] || continue ### Already active (not commented out)? if grep -qE '^[[:space:]]*session[[:space:]]+required[[:space:]]+pam_limits\.so([[:space:]]|$)' "${var_file}"; then continue fi ### If only commented out, activate (preferred over blunt appending). if grep -qE '^[[:space:]]*#([[:space:]]*)session[[:space:]]+required[[:space:]]+pam_limits\.so([[:space:]]|$)' "${var_file}"; then ### Remove comment characters at the beginning of lines (atomically via tmp file). declare var_tmp; var_tmp="$(mktemp "${var_file}.XXXXXX")" awk ' /^[[:space:]]*#([[:space:]]*)session[[:space:]]+required[[:space:]]+pam_limits\.so([[:space:]]|$)/ { sub(/^[[:space:]]*#([[:space:]]*)/,""); print; next } { print } ' "${var_file}" >> "${var_tmp}" && mv -- "${var_tmp}" "${var_file}" var_changed=1 continue fi ### Otherwise, append to the end (cleanly with a new line). printf '\n%s\n' "${var_line}" >> "${var_file}" var_changed=1 done (( var_changed )) && do_log "info" "file_only" "4460() Activated pam_limits.so: (common-session[*])" guard_dir && return 0 } # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh