V8.02.644.2025.05.31
All checks were successful
Retrieve the DNSSEC status at the time of updating the repository. / build-dnssec-diagram (push) Successful in 30s
All checks were successful
Retrieve the DNSSEC status at the time of updating the repository. / build-dnssec-diagram (push) Successful in 30s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -11,65 +11,65 @@
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
|
||||
#######################################
|
||||
# Wrapper for accompanying all CISS.2025 hardening features into the Live ISO image.
|
||||
# Wrapper for accompanying all CISS.debian.hardening features into the Live ISO image.
|
||||
# Globals:
|
||||
# HANDLER_ARCHITECTURE
|
||||
# HANDLER_BUILD_DIR
|
||||
# HANDLER_SSHPORT
|
||||
# HANDLER_SSHPUBKEY
|
||||
# WORKDIR
|
||||
# handler_jumphost
|
||||
# handler_jumphost_unique
|
||||
# ARY_HANDLER_JUMPHOST
|
||||
# ARY_HANDLER_JUMPHOST_UNIQUE
|
||||
# VAR_ARCHITECTURE
|
||||
# VAR_HANDLER_BUILD_DIR
|
||||
# VAR_SSHPORT
|
||||
# VAR_SSHPUBKEY
|
||||
# VAR_WORKDIR
|
||||
# Arguments:
|
||||
# None
|
||||
#######################################
|
||||
hardening_ultra() {
|
||||
# shellcheck disable=SC2164
|
||||
cd "${WORKDIR}"
|
||||
cd "${VAR_WORKDIR}"
|
||||
|
||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/bootloaders ... \e[0m\n"
|
||||
if [[ ! -d "${HANDLER_BUILD_DIR}/config/bootloaders" ]]; then
|
||||
mkdir -p "${HANDLER_BUILD_DIR}/config/bootloaders"
|
||||
cp -af ./config/bootloaders "${HANDLER_BUILD_DIR}/config"
|
||||
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/bootloaders" ]]; then
|
||||
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/bootloaders"
|
||||
cp -af ./config/bootloaders "${VAR_HANDLER_BUILD_DIR}/config"
|
||||
else
|
||||
cp -af ./config/bootloaders "${HANDLER_BUILD_DIR}/config"
|
||||
cp -af ./config/bootloaders "${VAR_HANDLER_BUILD_DIR}/config"
|
||||
fi
|
||||
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/bootloaders done.\e[0m\n"
|
||||
|
||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.binary ... \e[0m\n"
|
||||
if [[ ! -d "${HANDLER_BUILD_DIR}/config/includes.binary/boot/grub" ]]; then
|
||||
mkdir -p "${HANDLER_BUILD_DIR}/config/includes.binary/boot/grub"
|
||||
cp -af ./config/includes.binary "${HANDLER_BUILD_DIR}/config"
|
||||
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/boot/grub" ]]; then
|
||||
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/boot/grub"
|
||||
cp -af ./config/includes.binary "${VAR_HANDLER_BUILD_DIR}/config"
|
||||
else
|
||||
cp -af ./config/includes.binary "${HANDLER_BUILD_DIR}/config"
|
||||
cp -af ./config/includes.binary "${VAR_HANDLER_BUILD_DIR}/config"
|
||||
fi
|
||||
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.binary done.\e[0m\n"
|
||||
|
||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/hooks/live ... \e[0m\n"
|
||||
if [[ ! -d "${HANDLER_BUILD_DIR}/config/hooks/live" ]]; then
|
||||
mkdir -p "${HANDLER_BUILD_DIR}/config/hooks/live"
|
||||
cp -af ./config/hooks/live "${HANDLER_BUILD_DIR}/config/hooks"
|
||||
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/hooks/live" ]]; then
|
||||
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/hooks/live"
|
||||
cp -af ./config/hooks/live "${VAR_HANDLER_BUILD_DIR}/config/hooks"
|
||||
else
|
||||
cp -af ./config/hooks/live "${HANDLER_BUILD_DIR}/config/hooks"
|
||||
cp -af ./config/hooks/live "${VAR_HANDLER_BUILD_DIR}/config/hooks"
|
||||
fi
|
||||
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/hooks/live done.\e[0m\n"
|
||||
|
||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/includes.chroot ... \e[0m\n"
|
||||
if [[ ! -d "${HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then
|
||||
mkdir -p "${HANDLER_BUILD_DIR}/config/includes.chroot"
|
||||
cp -af ./config/includes.chroot "${HANDLER_BUILD_DIR}/config"
|
||||
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot" ]]; then
|
||||
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot"
|
||||
cp -af ./config/includes.chroot "${VAR_HANDLER_BUILD_DIR}/config"
|
||||
else
|
||||
cp -af ./config/includes.chroot "${HANDLER_BUILD_DIR}/config"
|
||||
cp -af ./config/includes.chroot "${VAR_HANDLER_BUILD_DIR}/config"
|
||||
fi
|
||||
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/includes.chroot done.\e[0m\n"
|
||||
|
||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Copying ./config/package-lists ... \e[0m\n"
|
||||
if [[ ! -d "${HANDLER_BUILD_DIR}/config/package-lists" ]]; then
|
||||
mkdir -p "${HANDLER_BUILD_DIR}/config/package-lists"
|
||||
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/package-lists" ]]; then
|
||||
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/package-lists"
|
||||
fi
|
||||
cp -af ./config/package-lists/live.list.common.chroot "${HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
|
||||
cp -af ./config/package-lists/live.list.common.chroot "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
|
||||
|
||||
case "${HANDLER_ARCHITECTURE}" in
|
||||
case "${VAR_ARCHITECTURE}" in
|
||||
amd64)
|
||||
declare arch_list="./config/package-lists/live.list.amd64.chroot"
|
||||
declare arch_comment="# amd64 specific packages"
|
||||
@@ -79,7 +79,7 @@ hardening_ultra() {
|
||||
declare arch_comment="# arm64 specific packages"
|
||||
;;
|
||||
*)
|
||||
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Unsupported architecture '%s'.\e[0m\n" "${HANDLER_ARCHITECTURE}"
|
||||
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Unsupported architecture '%s'.\e[0m\n" "${VAR_ARCHITECTURE}"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
@@ -105,26 +105,26 @@ hardening_ultra() {
|
||||
}
|
||||
print
|
||||
}
|
||||
' "${HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" > temp && mv temp "${HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
|
||||
' "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot" > temp && mv temp "${VAR_HANDLER_BUILD_DIR}/config/package-lists/live.list.chroot"
|
||||
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Copying ./config/package-lists done.\e[0m\n"
|
||||
|
||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating SSH Keys, Ports ... \e[0m\n"
|
||||
if [[ ! -d "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" ]]; then
|
||||
if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh" ]]; then
|
||||
|
||||
mkdir -p "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
|
||||
cp -af "${HANDLER_SSHPUBKEY}/authorized_keys" "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
|
||||
chmod 0600 "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
|
||||
chown root:root "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
|
||||
mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
|
||||
cp -af "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
|
||||
chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
|
||||
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
|
||||
|
||||
declare -r sshport="${HANDLER_SSHPORT:-22}"
|
||||
declare -r sshport="${VAR_SSHPORT:-22}"
|
||||
|
||||
sed -i "s|^port = MUST_BE_SET|port = ${sshport}|" "${HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
|
||||
sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"${sshport}\"|" "${HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
|
||||
sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
|
||||
sed -i "s|^port = MUST_BE_SET|port = ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
|
||||
sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"${sshport}\"|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
|
||||
sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
|
||||
|
||||
if [[ ${#handler_jumphost[@]} -gt 0 ]]; then
|
||||
if [[ ${#ARY_HANDLER_JUMPHOST[@]} -gt 0 ]]; then
|
||||
|
||||
declare file="${HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
|
||||
declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
|
||||
sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
|
||||
declare line
|
||||
line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)
|
||||
@@ -135,7 +135,7 @@ hardening_ultra() {
|
||||
fi
|
||||
|
||||
declare host
|
||||
for host in "${handler_jumphost_unique[@]}"; do
|
||||
for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do
|
||||
((line++))
|
||||
sed -i "${line}a ufw allow from \"${host}\" to any port \"${sshport}\" proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "$file"
|
||||
done
|
||||
@@ -143,19 +143,19 @@ hardening_ultra() {
|
||||
|
||||
else
|
||||
|
||||
cp -af "${HANDLER_SSHPUBKEY}/authorized_keys" "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
|
||||
chmod 0600 "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
|
||||
chown root:root "${HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
|
||||
cp -af "${VAR_SSHPUBKEY}/authorized_keys" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh"
|
||||
chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
|
||||
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ssh/authorized_keys"
|
||||
|
||||
declare -r sshport="${HANDLER_SSHPORT:-22}"
|
||||
declare -r sshport="${VAR_SSHPORT:-22}"
|
||||
|
||||
sed -i "s|^port = MUST_BE_SET|port = ${sshport}|" "${HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
|
||||
sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"$sshport\"|" "${HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
|
||||
sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
|
||||
sed -i "s|^port = MUST_BE_SET|port = ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
|
||||
sed -i "s|^declare -r SSHPORT=\"MUST_BE_SET\"|declare -r SSHPORT=\"$sshport\"|" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
|
||||
sed -i "s|^Port MUST_BE_CHANGED|Port ${sshport}|" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ssh/sshd_config"
|
||||
|
||||
if [[ ${#handler_jumphost_unique[@]} -gt 0 ]]; then
|
||||
if [[ ${#ARY_HANDLER_JUMPHOST_UNIQUE[@]} -gt 0 ]]; then
|
||||
|
||||
declare file="${HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
|
||||
declare file="${VAR_HANDLER_BUILD_DIR}/config/hooks/live/0900_ufw_setup.chroot"
|
||||
sed -i "/^ufw allow in \"\${SSHPORT}\"\/tcp comment 'Incoming SSH (Custom-Port)'$/d" "${file}"
|
||||
declare line
|
||||
line=$(grep -n '^ufw default deny forward$' "${file}" | cut -d: -f1)
|
||||
@@ -166,7 +166,7 @@ hardening_ultra() {
|
||||
fi
|
||||
|
||||
declare host
|
||||
for host in "${handler_jumphost_unique[@]}"; do
|
||||
for host in "${ARY_HANDLER_JUMPHOST_UNIQUE[@]}"; do
|
||||
((line++))
|
||||
sed -i "${line}a ufw allow from \"${host}\" to any port \"${sshport}\" proto tcp comment \"Incoming SSH ([${host}]:${sshport})\"" "$file"
|
||||
done
|
||||
@@ -174,21 +174,21 @@ hardening_ultra() {
|
||||
fi
|
||||
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating SSH Keys, Ports done. \e[0m\n"
|
||||
|
||||
if [[ -f "${WORKDIR}/hosts.allow" ]]; then
|
||||
if [[ -f "${VAR_WORKDIR}/hosts.allow" ]]; then
|
||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 SSH Hardening Ultra ... \e[0m\n"
|
||||
cp -af "${WORKDIR}/hosts.allow" "${HANDLER_BUILD_DIR}/config/includes.chroot/etc"
|
||||
cp -af "${WORKDIR}/hosts.deny" "${HANDLER_BUILD_DIR}/config/includes.chroot/etc"
|
||||
chmod 0644 "${HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.allow"
|
||||
chmod 0644 "${HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.deny"
|
||||
rm -f "${WORKDIR}/hosts.allow"
|
||||
rm -f "${WORKDIR}/hosts.deny"
|
||||
cp -af "${VAR_WORKDIR}/hosts.allow" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
|
||||
cp -af "${VAR_WORKDIR}/hosts.deny" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc"
|
||||
chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.allow"
|
||||
chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/hosts.deny"
|
||||
rm -f "${VAR_WORKDIR}/hosts.allow"
|
||||
rm -f "${VAR_WORKDIR}/hosts.deny"
|
||||
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ SSH Hardening Ultra done.\e[0m\n"
|
||||
fi
|
||||
|
||||
if ((${#handler_jumphost[@]} > 0)); then
|
||||
if ((${#ARY_HANDLER_JUMPHOST[@]} > 0)); then
|
||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Updating fail2ban Jumphosts IPs ... \e[0m\n"
|
||||
# Join array entries with spaces, preserving any newlines
|
||||
declare ips="${handler_jumphost[*]}"
|
||||
declare ips="${ARY_HANDLER_JUMPHOST[*]}"
|
||||
# Flatten to a single line and strip literal brackets []
|
||||
declare flat_ips
|
||||
flat_ips=$(printf "%s" "${ips}" | tr '\n' ' ' | tr -d '[]')
|
||||
@@ -196,14 +196,14 @@ hardening_ultra() {
|
||||
|
||||
# Perform an in-place replacement of MUST_BE_SET with the cleaned list
|
||||
sed -i -e "s|^\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1[[:space:]]*\)MUST_BE_SET|\1${flat_ips}|" \
|
||||
"${HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
|
||||
"${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
|
||||
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating fail2ban Jumphosts IPs done. \e[0m\n"
|
||||
else
|
||||
printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 No jump hosts configured, removing placeholder ... \e[0m\n"
|
||||
sed -i \
|
||||
-e "s|^\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1\)[[:space:]]*MUST_BE_SET|\1|" \
|
||||
-e "s|\(ignoreip[[:space:]]*=[[:space:]]*127\.0\.0\.0/8 ::1\)[[:space:]]*$|\1|" \
|
||||
"${HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
|
||||
"${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9950_fail2ban_hardening.chroot"
|
||||
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Placeholder removed. \e[0m\n"
|
||||
fi
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user