#!/bin/bash # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu guard_sourcing ####################################### # Hardening 'usb-guard'. # Globals: # TARGET # Arguments: # None # Returns: # 0: on success ####################################### hardening_usb() { ### Declare Arrays, HashMaps, and Variables. declare -r var_logfile="/root/.ciss/cdi/log/4480_hardening_usb.log" chroot_logger "${TARGET}${var_logfile}" ### Preparing USBGuard: see https://www.privacy-handbuch.de/handbuch_91a.htm chroot_script "${TARGET}" " export INITRD=No apt-get install -y --no-install-recommends --no-install-suggests usbguard 2>&1 | tee -a ${var_logfile} touch /tmp/rules.conf usbguard generate-policy >| /tmp/rules.conf if [[ -f /etc/usbguard/rules.conf && -s /etc/usbguard/rules.conf ]]; then mkdir -p /root/.ciss/cdi/backup/etc/usbguard mv /etc/usbguard/rules.conf /root/.ciss/cdi/backup/etc/usbguard/usbguard_rules.conf mv /tmp/rules.conf /etc/usbguard/rules.conf chmod 0600 /etc/usbguard/rules.conf else rm -f /etc/usbguard/rules.conf mv /tmp/rules.conf /etc/usbguard/rules.conf chmod 0600 /etc/usbguard/rules.conf fi #cp -a /etc/usbguard/usbguard-daemon.conf /root/.ciss/cdi/backup/etc/usbguard/usbguard-daemon.conf #sed -i 's/PresentDevicePolicy=apply-policy/PresentDevicePolicy=allow/' /etc/usbguard/usbguard-daemon.conf " guard_dir && return 0 } ### Prevents accidental 'unset -f'. # shellcheck disable=SC2034 readonly -f hardening_usb # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh