#!/bin/bash # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" chmod 0644 /etc/banner chmod 0644 /etc/issue chmod 0644 /etc/issue.net if [[ -f /etc/motd ]]; then cp -a /etc/motd /root/.ciss/dlb/backup/motd.bak chmod 0644 /root/.ciss/dlb/backup/motd.bak rm /etc/motd fi touch /etc/motd cat << EOF >| /etc/motd (c) Marc S. Weidner, 2018 - 2025 (p) Centurion Press, 2018 - 2025 Centurion Intelligence Consulting Agency (tm) https://coresecret.eu/ Please consider making a donation: https://coresecret.eu/spenden/ EOF cp -a /etc/login.defs /root/.ciss/dlb/backup/login.defs.bak sed -ri 's/^(#?LOGIN_TIMEOUT)[[:space:]]+[0-9]+/\1 180/' /etc/login.defs sed -i 's/UMASK 022/UMASK 077/' /etc/login.defs sed -i 's/PASS_MAX_DAYS 99999/PASS_MAX_DAYS 16384/' /etc/login.defs sed -i 's/PASS_MIN_DAYS 0/PASS_MIN_DAYS 1/' /etc/login.defs sed -i 's/PASS_WARN_AGE 7/PASS_WARN_AGE 128/' /etc/login.defs sed -i 's/ENCRYPT_METHOD SHA512/ENCRYPT_METHOD YESCRYPT/' /etc/login.defs sed -i 's/#SHA_CRYPT_MIN_ROUNDS 5000/SHA_CRYPT_MIN_ROUNDS 8388608/' /etc/login.defs sed -i 's/#SHA_CRYPT_MAX_ROUNDS 5000/SHA_CRYPT_MAX_ROUNDS 8388608/' /etc/login.defs sed -i 's/#YESCRYPT_COST_FACTOR 5/YESCRYPT_COST_FACTOR 8/' /etc/login.defs if [[ -f /etc/cron.deny ]]; then rm /etc/cron.deny fi if [[ -f /etc/cron.allow ]]; then cp -u /etc/cron.allow /root/.backup/cron.allow.bak chmod 644 /root/.backup/cron.allow.bak chmod 600 /etc/cron.allow cat << EOF >| /etc/cron.allow root EOF else touch /etc/cron.allow chmod 0600 /etc/cron.allow cat << EOF >| /etc/cron.allow root EOF fi chmod g-wx,o-rwx /etc/cron.allow chown root:root /etc/cron.allow chmod 0640 /etc/shadow chown root:shadow /etc/shadow chmod 0700 /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly chmod 0700 /etc/sudoers.d chmod 0600 /etc/crontab chmod 0600 /etc/ssh/sshd_config /etc/ssh/ssh_config chmod 0750 /home if chmod 0750 /var/spool/apt-mirror; then :; fi mkdir /root/.ansible declare bin declare target for bin in as gcc g++ cc clang; do target=$(readlink -f "/usr/bin/${bin}") || { printf "\e[92m✅ Info: '%s' not found, skipping. \e[0m\n" "${bin}" continue } chmod 700 "${target}" || { printf "\e[92m❌ Error: chmod failed for '%s', skipping. \e[0m\n" "${bin}" } done unset bin target ### Directories: 0700 find /root -type d -exec chmod 0700 {} + ### Executable files: 0700 (any x-bit set) find /root -type f -perm /111 -exec chmod 0700 {} + ### Non-executable files: 0600 find /root -type f ! -perm /111 -exec chmod 0600 {} + ### Ownership: UID:GID (do not dereference symlinks; stay on this filesystem) find /root -xdev -exec chown -h root:root {} + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh