msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
86c483459a5d7a53816d5ed464805cb8f30a0d2f853b93148b918eef92b36df9
CISS.debian.installer/func/cdi_4400_hardening/4450_hardening_memory.sh
Marc S. Weidner 9221726408
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m51s
Details
V8.00.000.2025.06.17 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-21 20:20:32 +01:00

186 lines
6.1 KiB
Bash
Raw Blame History

#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# NOTE:
# According to the manual pages of limits.conf(5) and pam_limits(8),
# entries in '/etc/security/limits.conf' or drop-ins under
# '/etc/security/limits.d/' are NOT applied automatically by the system.
# The actual enforcement of these ulimit(2) constraints, including
# '* soft core 0' and '* hard core 0' to disable kernel core dumps,
# requires that the PAM module 'pam_limits.so' is invoked in the
# 'session' stack of the respective service (e.g., via
# '/etc/pam.d/common-session' and
# '/etc/pam.d/common-session-noninteractive').
#
# Without 'pam_limits.so' present in these PAM configuration files,
# the configured limits remain ineffective for PAM-based logins
# (SSH, local TTY, sudo, su, cron, etc.).
# Services launched by systemd bypass PAM and must have 'LimitCORE=0'
# or 'DefaultLimitCORE=0' set in their unit or in system.conf.d(5).
#
# References:
# - man 5 limits.conf
# - man 8 pam_limits
#######################################
#######################################
# Hardening memory dump via:
# '/etc/systemd/coredump.conf.d/disable.conf'
# '/etc/security/limits.d/90-ciss-core.conf'
# '/etc/systemd/system.conf.d/90-ciss-core.conf'
# '/etc/pam.d/common-session'
# '/etc/pam.d/common-session-noninteractive'
# Globals:
# RECOVERY
# TARGET
# VAR_RUN_RECOVERY
# Arguments:
# None
# Returns:
# 0: on success
#######################################
hardening_memory() {
### Declare Arrays, HashMaps, and Variables.
declare var_target="${TARGET}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
mkdir -p "${var_target}/etc/systemd/coredump.conf.d"
mkdir -p "${var_target}/etc/systemd/system.conf.d"
insert_header "${var_target}/etc/security/limits.d/99-ciss-core.conf"
insert_comments "${var_target}/etc/security/limits.d/99-ciss-core.conf"
cat << 'EOF' >> "${var_target}/etc/security/limits.d/99-ciss-core.conf"
# Enforce: no core dumps for all logins by default.
# Format: <domain> <type> <item> <value>
* hard core 0
* soft core 0
root hard core 0
root soft core 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
insert_header "${var_target}/etc/systemd/coredump.conf.d/disable.conf"
insert_comments "${var_target}/etc/systemd/coredump.conf.d/disable.conf"
cat << 'EOF' >> "${var_target}/etc/systemd/coredump.conf.d/disable.conf"
### Do not store core images anywhere, keep the at most minimal metadata.
[Coredump]
Storage=none
ProcessSizeMax=0
ExternalSizeMax=0
JournalSizeMax=0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
[[ -f "${var_target}/etc/systemd/system.conf.d/10-coredump-debian.conf" ]] && \
mv "${var_target}/etc/systemd/system.conf.d/10-coredump-debian.conf" "${var_target}/etc/systemd/system.conf.d/10-coredump-debian.conf.bak"
insert_header "${var_target}/etc/systemd/system.conf.d/99-ciss-core.conf"
insert_comments "${var_target}/etc/systemd/system.conf.d/99-ciss-core.conf"
cat << 'EOF' >> "${var_target}/etc/systemd/system.conf.d/99-ciss-core.conf"
[Manager]
DefaultLimitCORE=0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
### Unified in 4520()
# - write_pam_login()
# - write_pam_sshd()
# - write_pam_su()
# - write_pam_sudo()
# - write_pam_sudo-i()
# guard_pam_limits
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f hardening_memory
#######################################
# Ensure 'pam_limits.so' is activated in:
# '/etc/pam.d/common-session'
# '/etc/pam.d/common-session-noninteractive'
# Globals:
# RECOVERY
# TARGET
# VAR_RUN_RECOVERY
# Arguments:
# None
# Returns:
# 0: on success
#######################################
guard_pam_limits() {
### Declare Arrays, HashMaps, and Variables.
declare var_target="${TARGET}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
declare var_file_0="${var_target}/etc/pam.d/common-session"
declare var_file_1="${var_target}/etc/pam.d/common-session-noninteractive"
declare var_line='session required pam_limits.so' var_file=""
declare -i var_changed=0
for var_file in "${var_file_0}" "${var_file_1}"; do
[[ -f "${var_file}" ]] || continue
### Already active (not commented out)?
if grep -qE '^[[:space:]]*session[[:space:]]+required[[:space:]]+pam_limits\.so([[:space:]]|$)' "${var_file}"; then
continue
fi
### If only commented out, activate (preferred over blunt appending).
if grep -qE '^[[:space:]]*#([[:space:]]*)session[[:space:]]+required[[:space:]]+pam_limits\.so([[:space:]]|$)' "${var_file}"; then
### Remove comment characters at the beginning of lines (atomically via tmp file).
declare var_tmp; var_tmp="$(mktemp "${var_file}.XXXXXX")"
awk '
/^[[:space:]]*#([[:space:]]*)session[[:space:]]+required[[:space:]]+pam_limits\.so([[:space:]]|$)/ {
sub(/^[[:space:]]*#([[:space:]]*)/,""); print; next
} { print }
' "${var_file}" >> "${var_tmp}" && mv -- "${var_tmp}" "${var_file}"
var_changed=1
continue
fi
### Otherwise, append to the end (cleanly with a new line).
printf '\n%s\n' "${var_line}" >> "${var_file}"
var_changed=1
done
(( var_changed )) && do_log "info" "file_only" "4460() Activated pam_limits.so: (common-session[*])"
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f guard_pam_limits
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
Reference in New Issue View Git Blame Copy Permalink