V8.13.384.2025.11.06
Some checks failed
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m37s
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 1m9s
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Failing after 1m0s
Some checks failed
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m37s
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 1m9s
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Failing after 1m0s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -13,24 +13,29 @@
|
||||
guard_sourcing
|
||||
|
||||
#######################################
|
||||
# Wrapper for accompanying all CISS.debian.hardening features into the Live ISO image.
|
||||
# Module for accompanying all 'CISS.debian.hardening' features into the Live ISO image.
|
||||
# Globals:
|
||||
# ARY_HANDLER_JUMPHOST
|
||||
# ARY_HANDLER_JUMPHOST_UNIQUE
|
||||
# BASH_SOURCE
|
||||
# VAR_ARCHITECTURE
|
||||
# VAR_HANDLER_BUILD_DIR
|
||||
# VAR_SSHFP
|
||||
# VAR_SSHPORT
|
||||
# VAR_SSHPUBKEY
|
||||
# VAR_WORKDIR
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
# 0: on success
|
||||
#######################################
|
||||
hardening_ultra() {
|
||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
|
||||
|
||||
# shellcheck disable=SC2164
|
||||
cd "${VAR_WORKDIR}"
|
||||
|
||||
|
||||
### ./config/bootloaders
|
||||
### ./config/bootloaders -----------------------------------------------------------------------------------------------------
|
||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/bootloaders ... \e[0m\n"
|
||||
|
||||
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/bootloaders" ]]; then
|
||||
@@ -47,7 +52,7 @@ hardening_ultra() {
|
||||
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/bootloaders done.\e[0m\n"
|
||||
|
||||
|
||||
### ./config/includes.binary
|
||||
### ./config/includes.binary -------------------------------------------------------------------------------------------------
|
||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.binary ... \e[0m\n"
|
||||
|
||||
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/boot/grub" ]]; then
|
||||
@@ -64,7 +69,7 @@ hardening_ultra() {
|
||||
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.binary done.\e[0m\n"
|
||||
|
||||
|
||||
### ./config/includes.chroot
|
||||
### ./config/includes.chroot -------------------------------------------------------------------------------------------------
|
||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.chroot ... \e[0m\n"
|
||||
|
||||
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then
|
||||
@@ -85,7 +90,7 @@ hardening_ultra() {
|
||||
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.chroot done.\e[0m\n"
|
||||
|
||||
|
||||
### ./config/hooks/early
|
||||
### ./config/hooks/early -----------------------------------------------------------------------------------------------------
|
||||
if [[ -d "${VAR_WORKDIR}/config/hooks/early" ]]; then
|
||||
|
||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/early ... \e[0m\n"
|
||||
@@ -106,7 +111,7 @@ hardening_ultra() {
|
||||
fi
|
||||
|
||||
|
||||
### ./config/hooks/live
|
||||
### ./config/hooks/live ------------------------------------------------------------------------------------------------------
|
||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/live ... \e[0m\n"
|
||||
|
||||
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/live" ]]; then
|
||||
@@ -123,7 +128,7 @@ hardening_ultra() {
|
||||
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/live done.\e[0m\n"
|
||||
|
||||
|
||||
|
||||
### ./config/package-lists ---------------------------------------------------------------------------------------------------
|
||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/package-lists ... \e[0m\n"
|
||||
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/package-lists" ]]; then
|
||||
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/package-lists"
|
||||
@@ -167,150 +172,82 @@ hardening_ultra() {
|
||||
}
|
||||
print
|
||||
}
|
||||
' "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" > temp && mv temp "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
|
||||
' "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" >| temp && mv temp "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
|
||||
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/package-lists done.\e[0m\n"
|
||||
|
||||
|
||||
|
||||
### Updating SSH Keys, Ports.
|
||||
### Updating SSH Keys, Ports -------------------------------------------------------------------------------------------------
|
||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating SSH Keys, Ports ... \e[0m\n"
|
||||
|
||||
### Check for static SSHFP key material via Gitea Actions Runner Secrets injection.
|
||||
if [[ "${VAR_SSHFP}" == "true" ]]; then
|
||||
### ./config/includes.chroot/root/.ssh ---------------------------------------------------------------------------------------
|
||||
install -d -m 0700 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
|
||||
install -m 0600 -o root -g root "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/"
|
||||
|
||||
rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9930_hardening_ssh.chroot"
|
||||
rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
|
||||
declare -r sshport="${VAR_SSHPORT:-22}"
|
||||
|
||||
else
|
||||
### /config/includes.chroot/etc/ssh/sshd_config
|
||||
# shellcheck disable=SC2155
|
||||
declare pad="$(printf '%-29s' 'Port')"
|
||||
sed -i -E "/PORT_MUST_BE_CHANGED/ s|.*|${pad}${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
|
||||
|
||||
rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9935_hardening_ssh.chroot"
|
||||
rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
|
||||
### /config/hooks/live/9950_hardening_fail2ban.chroot
|
||||
sed -i "s|PORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_hardening_fail2ban.chroot"
|
||||
|
||||
fi
|
||||
### /config/hooks/live/0900_ufw_setup.chroot
|
||||
sed -i "s|SSHPORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
|
||||
|
||||
### /config/includes.chroot/root/.ssh
|
||||
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" ]]; then
|
||||
### /config/hooks/live/0900_ufw_setup.chroot
|
||||
if [[ ${#ARY_HANDLER_JUMPHOST[@]} -gt 0 ]]; then
|
||||
|
||||
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
|
||||
cp -af "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
|
||||
chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
|
||||
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
|
||||
declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
|
||||
|
||||
declare -r sshport="${VAR_SSHPORT:-22}"
|
||||
sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
|
||||
|
||||
### /config/includes.chroot/etc/ssh/sshd_config
|
||||
# shellcheck disable=SC2155
|
||||
declare pad="$(printf '%-29s' 'Port')"
|
||||
sed -i -E "/PORT_MUST_BE_CHANGED/ s|.*|${pad}${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
|
||||
declare line
|
||||
|
||||
### /config/hooks/live/9950_hardening_fail2ban.chroot
|
||||
sed -i "s|PORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_hardening_fail2ban.chroot"
|
||||
# shellcheck disable=SC2312
|
||||
line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)
|
||||
|
||||
### /config/hooks/live/0900_ufw_setup.chroot
|
||||
sed -i "s|SSHPORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
|
||||
if [[ -z "${line}" ]]; then
|
||||
|
||||
|
||||
### /config/hooks/live/0900_ufw_setup.chroot
|
||||
if [[ ${#ARY_HANDLER_JUMPHOST[@]} -gt 0 ]]; then
|
||||
|
||||
declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
|
||||
|
||||
sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
|
||||
|
||||
declare line
|
||||
|
||||
# shellcheck disable=SC2312
|
||||
line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)
|
||||
|
||||
if [[ -z "${line}" ]]; then
|
||||
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌'ufw default deny forward' not found in: '%s'\e[0m\n" "${file}" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
declare host
|
||||
|
||||
for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do
|
||||
|
||||
((line++))
|
||||
|
||||
sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "${file}"
|
||||
|
||||
done
|
||||
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌'ufw default deny forward' not found in: '%s'\e[0m\n" "${file}" >&2
|
||||
exit 1
|
||||
|
||||
fi
|
||||
|
||||
else
|
||||
declare host
|
||||
|
||||
cp -af "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
|
||||
chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
|
||||
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
|
||||
for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do
|
||||
|
||||
declare -r sshport="${VAR_SSHPORT:-22}"
|
||||
((line++))
|
||||
|
||||
### /config/includes.chroot/etc/ssh/sshd_config
|
||||
# shellcheck disable=SC2155
|
||||
declare pad="$(printf '%-29s' 'Port')"
|
||||
sed -i -E "/PORT_MUST_BE_CHANGED/ s|.*|${pad}${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
|
||||
sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "${file}"
|
||||
|
||||
### /config/hooks/live/9950_hardening_fail2ban.chroot
|
||||
sed -i "s|PORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_hardening_fail2ban.chroot"
|
||||
|
||||
### /config/hooks/live/0900_ufw_setup.chroot
|
||||
sed -i "s|SSHPORT_MUST_BE_SET|${sshport}|g" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
|
||||
|
||||
|
||||
### /config/hooks/live/0900_ufw_setup.chroot
|
||||
if [[ ${#ARY_HANDLER_JUMPHOST_UNIQUE[@]} -gt 0 ]]; then
|
||||
|
||||
declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
|
||||
|
||||
sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
|
||||
|
||||
declare line
|
||||
# shellcheck disable=SC2312
|
||||
line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)
|
||||
|
||||
if [[ -z "${line}" ]]; then
|
||||
printf "\e[91m❌ Error: 'ufw default deny forward' not found in: '%s'\e[0m\n" "${file}" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
declare host
|
||||
|
||||
for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do
|
||||
|
||||
((line++))
|
||||
sed -i "${line}a ufw allow from ${host} to any port ${sshport} proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "${file}"
|
||||
|
||||
done
|
||||
|
||||
fi
|
||||
done
|
||||
|
||||
fi
|
||||
|
||||
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating SSH Keys, Ports done. \e[0m\n"
|
||||
|
||||
|
||||
### /config/includes.chroot/etc/hosts.allow
|
||||
### ./config/includes.chroot/etc/hosts. --------------------------------------------------------------------------------------
|
||||
if [[ -f "${VAR_WORKDIR}/hosts.allow" ]]; then
|
||||
|
||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 SSH Hardening Ultra ... \e[0m\n"
|
||||
|
||||
cp -af "${VAR_WORKDIR}/hosts.allow" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
|
||||
cp -af "${VAR_WORKDIR}/hosts.deny" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
|
||||
mv "${VAR_WORKDIR}/hosts.allow" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
|
||||
mv "${VAR_WORKDIR}/hosts.deny" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
|
||||
|
||||
chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.allow"
|
||||
chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.deny"
|
||||
|
||||
rm -f "${VAR_WORKDIR}/hosts.allow"
|
||||
rm -f "${VAR_WORKDIR}/hosts.deny"
|
||||
|
||||
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ SSH Hardening Ultra done.\e[0m\n"
|
||||
|
||||
fi
|
||||
|
||||
|
||||
### /config/hooks/live/9950_hardening_fail2ban.chroot
|
||||
### ./config/hooks/live/9950_hardening_fail2ban.chroot -----------------------------------------------------------------------
|
||||
if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then
|
||||
|
||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating fail2ban Jumphosts IPs ... \e[0m\n"
|
||||
@@ -338,5 +275,12 @@ hardening_ultra() {
|
||||
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Placeholder removed. \e[0m\n"
|
||||
|
||||
fi
|
||||
|
||||
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
|
||||
|
||||
return 0
|
||||
}
|
||||
### Prevents accidental 'unset -f'.
|
||||
# shellcheck disable=SC2034
|
||||
readonly -f hardening_ultra
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|
||||
|
||||
Reference in New Issue
Block a user