msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.04.002.2025.08.11
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 53s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-08-12 10:25:17 +02:00
parent 97799cc705
commit 9486dc970e
1 changed files with 88 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

109
lib/lib_hardening_ultra.sh
View File

@@ -29,53 +29,114 @@ hardening_ultra() {
# shellcheck disable=SC2164 # shellcheck disable=SC2164
cd "${VAR_WORKDIR}" cd "${VAR_WORKDIR}"
### ./config/bootloaders
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/bootloaders ... \e[0m\n" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/bootloaders ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/bootloaders" ]]; then if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/bootloaders" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/bootloaders" mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/bootloaders"
cp -af ./config/bootloaders "${VAR_HANDLER_BUILD_DIR}/config" cp -af ./config/bootloaders "${VAR_HANDLER_BUILD_DIR}/config"
else else
cp -af ./config/bootloaders "${VAR_HANDLER_BUILD_DIR}/config" cp -af ./config/bootloaders "${VAR_HANDLER_BUILD_DIR}/config"
fi fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/bootloaders done.\e[0m\n" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/bootloaders done.\e[0m\n"
### ./config/includes.chroot_after_packages
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.chroot_after_packages ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot_after_packages" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot_after_packages"
cp -af ./config/includes.chroot_after_packages "${VAR_HANDLER_BUILD_DIR}/config"
else
cp -af ./config/includes.chroot_after_packages "${VAR_HANDLER_BUILD_DIR}/config"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.chroot_after_packages done.\e[0m\n"
### ./config/includes.binary
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.binary ... \e[0m\n" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.binary ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/boot/grub" ]]; then if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/boot/grub" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/boot/grub" mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/boot/grub"
cp -af ./config/includes.binary "${VAR_HANDLER_BUILD_DIR}/config" cp -af ./config/includes.binary "${VAR_HANDLER_BUILD_DIR}/config"
else else
cp -af ./config/includes.binary "${VAR_HANDLER_BUILD_DIR}/config" cp -af ./config/includes.binary "${VAR_HANDLER_BUILD_DIR}/config"
fi fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.binary done.\e[0m\n" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.binary done.\e[0m\n"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/live ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/live" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/hooks/live"
cp -af ./config/hooks/live "${VAR_HANDLER_BUILD_DIR}/config/hooks"
else
cp -af ./config/hooks/live "${VAR_HANDLER_BUILD_DIR}/config/hooks"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/live done.\e[0m\n"
if [[ -d "${VAR_WORKDIR}/config/hooks/early" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/early ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/early" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/hooks/early"
cp -af ./config/hooks/early "${VAR_HANDLER_BUILD_DIR}/config/hooks"
else
cp -af ./config/hooks/early "${VAR_HANDLER_BUILD_DIR}/config/hooks"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/early done.\e[0m\n"
fi
### ./config/includes.chroot
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.chroot ... \e[0m\n" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.chroot ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot"
cp -af ./config/includes.chroot "${VAR_HANDLER_BUILD_DIR}/config" cp -af ./config/includes.chroot "${VAR_HANDLER_BUILD_DIR}/config"
else else
cp -af ./config/includes.chroot "${VAR_HANDLER_BUILD_DIR}/config" cp -af ./config/includes.chroot "${VAR_HANDLER_BUILD_DIR}/config"
fi fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.chroot done.\e[0m\n" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.chroot done.\e[0m\n"
### ./config/hooks/early
if [[ -d "${VAR_WORKDIR}/config/hooks/early" ]]; then
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/early ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/early" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/hooks/early"
cp -af ./config/hooks/early "${VAR_HANDLER_BUILD_DIR}/config/hooks"
else
cp -af ./config/hooks/early "${VAR_HANDLER_BUILD_DIR}/config/hooks"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/early done.\e[0m\n"
fi
### ./config/hooks/live
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/live ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/live" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/hooks/live"
cp -af ./config/hooks/live "${VAR_HANDLER_BUILD_DIR}/config/hooks"
else
cp -af ./config/hooks/live "${VAR_HANDLER_BUILD_DIR}/config/hooks"
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/live done.\e[0m\n"
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/package-lists ... \e[0m\n" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/package-lists ... \e[0m\n"
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/package-lists" ]]; then if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/package-lists" ]]; then
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/package-lists" mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/package-lists"
@@ -98,6 +159,7 @@ hardening_ultra() {
esac esac
declare pkgs declare pkgs
# shellcheck disable=SC2312
mapfile -t pkgs < <( mapfile -t pkgs < <(
grep -v '^\s*#' "${arch_list}" | sed '/^\s*$/d' grep -v '^\s*#' "${arch_list}" | sed '/^\s*$/d'
) )
@@ -140,6 +202,7 @@ hardening_ultra() {
declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}" sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
declare line declare line
# shellcheck disable=SC2312
line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1) line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)
if [[ -z "${line}" ]]; then if [[ -z "${line}" ]]; then
@@ -150,7 +213,7 @@ hardening_ultra() {
declare host declare host
for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do
((line++)) ((line++))
sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "$file" sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "${file}"
done done
fi fi
@@ -163,7 +226,7 @@ hardening_ultra() {
declare -r sshport="${VAR_SSHPORT:-22}" declare -r sshport="${VAR_SSHPORT:-22}"
sed -i "s|^port = MUST_BE_SET|port = ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot" sed -i "s|^port = MUST_BE_SET|port = ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"$sshport\"|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"${sshport}\"|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config" sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
if [[ ${#ARY_HANDLER_JUMPHOST_UNIQUE[@]} -gt 0 ]]; then if [[ ${#ARY_HANDLER_JUMPHOST_UNIQUE[@]} -gt 0 ]]; then
@@ -171,6 +234,7 @@ hardening_ultra() {
declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot" declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}" sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
declare line declare line
# shellcheck disable=SC2312
line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1) line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)
if [[ -z "${line}" ]]; then if [[ -z "${line}" ]]; then
@@ -181,7 +245,7 @@ hardening_ultra() {
declare host declare host
for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do
((line++)) ((line++))
sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "$file" sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "${file}"
done done
fi fi
fi fi
@@ -204,6 +268,7 @@ hardening_ultra() {
declare ips="${ARY_HANDLER_JUMPHOST[*]}" declare ips="${ARY_HANDLER_JUMPHOST[*]}"
# Flatten to a single line and strip literal brackets [] # Flatten to a single line and strip literal brackets []
declare flat_ips declare flat_ips
# shellcheck disable=SC2312
flat_ips=$(printf "%s" "${ips}" | tr '\n' ' ' | tr -d '[]') flat_ips=$(printf "%s" "${ips}" | tr '\n' ' ' | tr -d '[]')
# flat_ips now contains e.g., "123.128.111.42 2a03:ffff:0815:4711:... 2a03:.../64" # flat_ips now contains e.g., "123.128.111.42 2a03:ffff:0815:4711:... 2a03:.../64"