#!/bin/bash # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu guard_sourcing ####################################### # Hardening memory dump via: # '/etc/systemd/coredump.conf.d/disable.conf' # '/etc/security/limits.d/90-ciss-core.conf' # '/etc/systemd/system.conf.d/90-ciss-core.conf' # '/etc/pam.d/common-session' # '/etc/pam.d/common-session-noninteractive' # Globals: # TARGET # VAR_ARCHITECTURE # VAR_CODENAME # VAR_VERSION # Arguments: # None # Returns: # 0: on success ####################################### hardening_memory() { mkdir -p "${TARGET}/etc/systemd/coredump.conf.d" cat << EOF >| "${TARGET}/etc/systemd/coredump.conf.d/disable.conf" # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu # Static file system information: /etc/systemd/coredump.conf.d/disable.conf # Generated by CISS.debian.installer ${VAR_VERSION} # Architecture: ${VAR_ARCHITECTURE} # Distribution: ${VAR_CODENAME} [Coredump] Storage=none EOF chmod 0644 "${TARGET}/etc/systemd/coredump.conf.d/disable.conf" cat << EOF >| "${TARGET}/etc/security/limits.d/90-ciss-core.conf" # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu # Static file system information: /etc/security/limits.d/90-ciss-core.conf # Generated by CISS.debian.installer ${VAR_VERSION} # Architecture: ${VAR_ARCHITECTURE} # Distribution: ${VAR_CODENAME} # Format: * soft core 0 * hard core 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh EOF chmod 0644 "${TARGET}/etc/security/limits.d/90-ciss-core.conf" mkdir -p "${TARGET}/etc/systemd/system.conf.d" cat << EOF >| "${TARGET}/etc/systemd/system.conf.d/90-ciss-core.conf" # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu # Static file system information: /etc/systemd/system.conf.d/90-ciss-core.conf" # Generated by CISS.debian.installer ${VAR_VERSION} # Architecture: ${VAR_ARCHITECTURE} # Distribution: ${VAR_CODENAME} [Manager] DefaultLimitCORE=0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh EOF chmod 0644 "${TARGET}/etc/systemd/system.conf.d/90-ciss-core.conf" guard_pam_limits guard_dir && return 0 } ####################################### # Ensure 'pam_limits.so' is activated in: # '/etc/pam.d/common-session' # '/etc/pam.d/common-session-noninteractive' # Globals: # TARGET # Arguments: # None # Returns: # 0: on success ####################################### guard_pam_limits() { ### Declare Arrays, HashMaps, and Variables. declare var_file_0="${TARGET}/etc/pam.d/common-session" declare var_file_1="${TARGET}/etc/pam.d/common-session-noninteractive" declare var_line='session required pam_limits.so' var_file="" declare -i var_changed=0 for var_file in "${var_file_0}" "${var_file_1}"; do [[ -f "${var_file}" ]] || continue ### Already active (not commented out)? if grep -qE '^[[:space:]]*session[[:space:]]+required[[:space:]]+pam_limits\.so([[:space:]]|$)' "${var_file}"; then continue fi ### If only commented out, activate (preferred over blunt appending). if grep -qE '^[[:space:]]*#([[:space:]]*)session[[:space:]]+required[[:space:]]+pam_limits\.so([[:space:]]|$)' "${var_file}"; then ### Remove comment characters at the beginning of lines (atomically via tmp file). declare var_tmp; var_tmp="$(mktemp "${var_file}.XXXXXX")" awk ' /^[[:space:]]*#([[:space:]]*)session[[:space:]]+required[[:space:]]+pam_limits\.so([[:space:]]|$)/ { sub(/^[[:space:]]*#([[:space:]]*)/,""); print; next } { print } ' "${var_file}" >> "${var_tmp}" && mv -- "${var_tmp}" "${var_file}" var_changed=1 continue fi ### Otherwise, append to the end (cleanly with a new line). printf '\n%s\n' "${var_line}" >> "${var_file}" var_changed=1 done (( var_changed )) && do_log "info" "file_only" "4460() Activated pam_limits.so: (common-session[*])" return 0 } # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh