msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.192.2025.10.18
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m45s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-10-18 18:40:07 +01:00
parent 9ea13fade8
commit 3cb59698cf
5 changed files with 86 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
config/hooks/live/0007_update_logrotate.chroot
View File

@@ -20,7 +20,7 @@ declare var_file="" var_log=""
export DEBIAN_FRONTEND="noninteractive" export DEBIAN_FRONTEND="noninteractive"
rm -f "/etc/logrotate.conf" rm -f "/etc/logrotate.conf"
cat << EOF >> "/etc/logrotate.conf" cat << EOF >| "/etc/logrotate.conf"
# See "man logrotate" for details. Global options do not affect preceding include directives. # See "man logrotate" for details. Global options do not affect preceding include directives.
# rotate log files daily # rotate log files daily
@@ -52,16 +52,6 @@ include /etc/logrotate.d
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF EOF
for var_log in "${ary_logrotate[@]}"; do
var_file="$/etc/logrotate.d/${var_log}"
[[ -e "${var_file}" ]] || continue
### Replace leading 'monthly'/'weekly' directives with 'daily', preserving indentation and trailing comments.
sed -E -i \
-e 's/^([[:space:]]*)(monthly|weekly)([[:space:]]*)(#.*)?$/\1daily\3\4/' \
-e 's/^([[:space:]]*)rotate([[:space:]]+[0-9]+)?([[:space:]]*)(#.*)?$/\1rotate 384\3\4/' \
"${var_file}"
done
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
exit 0 exit 0

2
config/hooks/live/0810_chrony_setup.chroot
View File

@@ -111,6 +111,8 @@ if [[ -e /usr/share/zoneinfo/right/UTC ]]; then
fi fi
chronyd -Q -f /etc/chrony/chrony.conf 2>&1
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
exit 0 exit 0

47
config/hooks/live/9950_fail2ban_hardening.chroot
View File

@@ -44,6 +44,15 @@ maxretry = 8
findtime = 24h findtime = 24h
bantime = 24h bantime = 24h
[recidive]
enabled = true
filter = recidive
logpath = /var/log/fail2ban/fail2ban.log*
banaction = iptables-allports
bantime = 32d
findtime = 384d
maxretry = 4
### SSH Handling: Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused] ### SSH Handling: Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
### Jump host mistyped 1-3 times: no ban, only after four attempts [sshd] ### Jump host mistyped 1-3 times: no ban, only after four attempts [sshd]
@@ -82,25 +91,43 @@ maxretry = 1
bantime = 24h bantime = 24h
findtime = 24h findtime = 24h
[recidive] # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
enabled = true
filter = recidive
logpath = /var/log/fail2ban/fail2ban.log*
banaction = iptables-allports
bantime = 32d
findtime = 384d
maxretry = 4
EOF EOF
cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-ufw.conf cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-ufw.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
[Definition] [Definition]
failregex = \[UFW BLOCK\].+SRC=<HOST> DST failregex = \[UFW BLOCK\].+SRC=<HOST> DST
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF EOF
cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-sshd-refused.conf cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-sshd-refused.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
[Definition] [Definition]
failregex = ^refused connect from \S+ \(<HOST>\) failregex = ^refused connect from \S+ \(<HOST>\)
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF EOF
########################################################################################### ###########################################################################################
@@ -114,7 +141,7 @@ EOF
# allows Fail2ban to have write access on required paths. # # allows Fail2ban to have write access on required paths. #
########################################################################################### ###########################################################################################
mkdir -p /etc/systemd/system/fail2ban.service.d mkdir -p /etc/systemd/system/fail2ban.service.d
mkdir /var/log/fail2ban mkdir -p /var/log/fail2ban
cat << 'EOF' >| /etc/systemd/system/fail2ban.service.d/override.conf cat << 'EOF' >| /etc/systemd/system/fail2ban.service.d/override.conf
[Service] [Service]

45
config/hooks/live/9999_yyyy_logrotate.chroot Normal file
View File

@@ -0,0 +1,45 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
### Declare Arrays, HashMaps, and Variables.
declare -ar ary_logrotate=( "alternatives" "apt" "btmp" "chrony" "dpkg" "fail2ban" "rkhunter" "ufw" "unattended-upgrades" "usbguard")
declare var_file="" var_log=""
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
for var_log in "${ary_logrotate[@]}"; do
var_file="$/etc/logrotate.d/${var_log}"
[[ -e "${var_file}" ]] || continue
### Replace leading 'monthly'/'weekly' directives with 'daily', preserving indentation and trailing comments.
sed -E -i \
-e 's/^([[:space:]]*)(monthly|weekly)([[:space:]]*)(#.*)?$/\1daily\3\4/' \
-e 's/^([[:space:]]*)rotate([[:space:]]+[0-9]+)?([[:space:]]*)(#.*)?$/\1rotate 384\3\4/' \
"${var_file}"
done
if ! logrotate -d /etc/logrotate.conf; then
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'logrotate -d /etc/logrotate.conf' failed. \e[0m\n"
else
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'logrotate -d /etc/logrotate.conf' successful. \e[0m\n"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

1
docs/CHANGELOG.md
View File

@@ -14,6 +14,7 @@ include_toc: true
## V8.13.192.2025.10.18 ## V8.13.192.2025.10.18
* **Added**: [0007_update_logrotate.chroot](../config/hooks/live/0007_update_logrotate.chroot) * **Added**: [0007_update_logrotate.chroot](../config/hooks/live/0007_update_logrotate.chroot)
* **Added**: [9999_yyyy_logrotate.chroot](../config/hooks/live/9999_yyyy_logrotate.chroot)
* **Added**: [9999_zzzz.chroot](../config/hooks/live/9999_zzzz.chroot) * **Added**: [9999_zzzz.chroot](../config/hooks/live/9999_zzzz.chroot)
* **Updated**: [0000_basic_chroot_setup.chroot](../config/hooks/live/0000_basic_chroot_setup.chroot) XDG Base Directory Support * **Updated**: [0000_basic_chroot_setup.chroot](../config/hooks/live/0000_basic_chroot_setup.chroot) XDG Base Directory Support
* **Updated**: [9950_fail2ban_hardening.chroot](../config/hooks/live/9950_fail2ban_hardening.chroot) * **Updated**: [9950_fail2ban_hardening.chroot](../config/hooks/live/9950_fail2ban_hardening.chroot)