Moved default definitions, CLEAN cis/core/default AFTER all hosts adapted

.gitignore

@@ -1,10 +1,24 @@
-# Ignore the file '/overrideOwnDomain' because this is per host individually.
+# Ignore the file '/overrideOwnDomain' because this is per host individually if it was created.
 /overrideOwnDomain
 
 # Ignore the subfolders only, because their content are other git repositories.
-# But 'definitions and 'states' should be prepared by cloning this repository.
-/definitions/*/
-/states/*/
+# But 'definitions and 'states' should be prepared by cloning this repository, so:
+
+# 1.) Ignore all content of 'definitions', except file README.md and subfolder 'default/core/all/'
+/definitions/*
+!/definitions/README.md
+!/definitions/default/
+/definitions/default/*
+!/definitions/default/core/
+/definitions/default/core/*
+!/definitions/default/core/all/
+
+# 2.) Ignore all content of 'states', except file README.md
+/states/*
+!/states/README.md
 
 # Ignore environment files
 .env
+
+# Ignore docker-compose files
+docker-compose.yml

core/ensureUsageOfDefinitions.sh

@@ -53,14 +53,14 @@ function filterInvalidAuthorizedKeysFilesOfRoot() {
 }
 
 function printSelectedDefinition() {
-    local _DEFINITIONS  _CORE_FILE_DEFINED_ALL_HOSTS _CORE_FILE_DEFINED_THIS_HOST _FILE_DEFINED_ALL_HOSTS _FILE_DEFINED_THIS_HOST
+    local _DEFINITIONS _CORE_FILE_DEFAULT_ALL_HOSTS _CORE_FILE_DEFINED_ALL_HOSTS _CORE_FILE_DEFINED_THIS_HOST _FILE_DEFINED_ALL_HOSTS _FILE_DEFINED_THIS_HOST
     _DEFINITIONS="${1:?"Missing CIS_ROOT"}definitions/${2:?"Missing DOMAIN"}/"
-    _CORE_DEFAULT_ALL_HOSTS="${1:?"Missing CIS_ROOT"}core/default${3:?"Missing CURRENT_FULLFILE"}"
+    _CORE_FILE_DEFAULT_ALL_HOSTS="${1:?"Missing CIS_ROOT"}definitions/default/core/all${3:?"Missing CURRENT_FULLFILE"}"
     _CORE_FILE_DEFINED_ALL_HOSTS="${_DEFINITIONS:?"Missing DEFINITIONS"}core/all${3:?"Missing CURRENT_FULLFILE"}"
     _CORE_FILE_DEFINED_THIS_HOST="${_DEFINITIONS:?"Missing DEFINITIONS"}core/$(hostname -s)${3:?"Missing CURRENT_FULLFILE"}"
     _FILE_DEFINED_ALL_HOSTS="${_DEFINITIONS:?"Missing DEFINITIONS"}hosts/all${3:?"Missing CURRENT_FULLFILE"}"
     _FILE_DEFINED_THIS_HOST="${_DEFINITIONS:?"Missing DEFINITIONS"}hosts/$(hostname -s)${3:?"Missing CURRENT_FULLFILE"}"
-    readonly _DEFINITIONS _CORE_FILE_DEFINED_ALL_HOSTS _CORE_FILE_DEFINED_THIS_HOST _FILE_DEFINED_ALL_HOSTS _FILE_DEFINED_THIS_HOST
+    readonly _DEFINITIONS _CORE_FILE_DEFAULT_ALL_HOSTS _CORE_FILE_DEFINED_ALL_HOSTS _CORE_FILE_DEFINED_THIS_HOST _FILE_DEFINED_ALL_HOSTS _FILE_DEFINED_THIS_HOST
 
     #The following are special definitions that affect the core functionality.
     #Try this host first because it should be priorized.
@@ -77,8 +77,8 @@ function printSelectedDefinition() {
 
     #The following are special definitions that affect the core functionality.
     isCoreDefinition "${3:?"Missing CURRENT_FULLFILE"}" \
-        && [ -s "${_CORE_DEFAULT_ALL_HOSTS}" ] \
-        && filterInvalidAuthorizedKeysFilesOfRoot "${_CORE_DEFAULT_ALL_HOSTS}" \
+        && [ -s "${_CORE_FILE_DEFAULT_ALL_HOSTS}" ] \
+        && filterInvalidAuthorizedKeysFilesOfRoot "${_CORE_FILE_DEFAULT_ALL_HOSTS}" \
         && return 0
 
     #Try this host first because it should be priorized.

definitions/default/core/all/etc/adduser.conf

@@ -0,0 +1,109 @@
+# /etc/adduser.conf: `adduser' configuration.
+# See adduser(8) and adduser.conf(5) for full documentation.
+
+# A commented out setting indicates that this is the default in the
+# code. If you need to change those settings, remove the comment and
+# make your intended change.
+
+# STDERRMSGLEVEL, STDOUTMSGLEVEL, and LOGMSGLEVEL set the minimum
+# priority for messages logged to syslog/journal and the console,
+# respectively.
+# Values are trace, debug, info, warn, err, and fatal.
+# Messages with the set priority or higher get logged to the
+# respective medium.
+#STDERRMSGLEVEL=warn
+#STDOUTMSGLEVEL=info
+#SYSLOGLEVEL=info
+
+# The login shell to be used for all new users.
+# Default: DSHELL=/bin/bash
+#DSHELL=/bin/bash
+
+# The directory in which new home directories should  be  created.
+# Default: DHOME=/home
+# DHOME=/home
+
+# The directory from which skeletal user configuration files
+# will be copied.
+# Default: SKEL=/etc/skel
+#SKEL=/etc/skel
+
+# Specify inclusive ranges of UIDs and GIDs from which UIDs and GIDs
+# for system users, system groups, non-system users and non-system groups
+# can be dynamically allocated.
+# Default: FIRST_SYSTEM_UID=100, LAST_SYSTEM_UID=999
+#FIRST_SYSTEM_UID=100
+#LAST_SYSTEM_UID=999
+
+# Default: FIRST_SYSTEM_GID=100, LAST_SYSTEM_GID=999
+#FIRST_SYSTEM_GID=100
+#LAST_SYSTEM_GID=999
+
+# Default: FIRST_UID=1000, LAST_UID=59999
+#FIRST_UID=1000
+#LAST_UID=59999
+
+# Default: FIRST_GID=1000, LAST_GID=59999
+#FIRST_GID=1000
+#LAST_GID=59999
+
+# Specify a file or a directory containing UID and GID pool.
+#UID_POOL=/etc/adduser-pool.conf
+#UID_POOL=/etc/adduser-pool.d/
+#GID_POOL=/etc/adduser-pool.conf
+#GID_POOL=/etc/adduser-pool.d/
+
+# Specify whether each created non-system user will be
+# given their own group to use.
+# Default: USERGROUPS=yes
+#USERGROUPS=yes
+
+# Defines the groupname or GID of the group all newly-created
+# non-system users are placed into.
+# It is a configuration error to define both variables
+# even if the values are consistent.
+# Default: USERS_GID=undefined, USERS_GROUP=users
+#USERS_GID=100
+#USERS_GROUP=users
+
+# The permissions mode for home directories of non-system users.
+# Default: DIR_MODE=0750
+#DIR_MODE=0750
+
+# The permissions mode for home directories of system users.
+# Default: SYS_DIR_MODE=0750
+#SYS_DIR_MODE=0750
+
+# If set to a nonempty value, new users will have quotas copied
+# from that user with `edquota -p QUOTAUSER newuser'
+# Default: QUOTAUSER=""
+#QUOTAUSER=""
+
+# Non-system user- and groupnames are checked against this regular
+# expression.
+# Default: NAME_REGEX="^[a-z][-a-z0-9_]*\$?$"
+#NAME_REGEX="^[a-z][-a-z0-9_]*\$?$"
+
+# System user- and groupnames are checked against this regular
+# expression.
+# Default: SYS_NAME_REGEX="^[A-Za-z_][-A-Za-z0-9_]*\$?$"
+#SYS_NAME_REGEX="^[A-Za-z_][-A-Za-z0-9_]*\$?$"
+
+# When populating the newly created home directory of a non-system user,
+# files in SKEL matching this regex are not copied.
+# Default: SKEL_IGNORE_REGEX="\.(dpkg|ucf)-(old|new|dist|save)$"
+#SKEL_IGNORE_REGEX="\.(dpkg|ucf)-(old|new|dist|save)$"
+
+# list of groups that new non-system users will be added to
+# if ADD_EXTRA_GROUPS is non-zero or set on the command line.
+# Default: EXTRA_GROUPS="users"
+#EXTRA_GROUPS="users"
+
+# Setting this to something other than 0 will cause adduser to add
+# newly created non-system users to the list of groups defined by
+# EXTRA_GROUPS.
+# Default: ADD_EXTRA_GROUPS=0
+#ADD_EXTRA_GROUPS=0
+
+# use extrausers by default
+#USE_EXTRAUSERS=1

definitions/default/core/all/etc/ssh/sshd_config.d/AccessRestriction.conf

@@ -0,0 +1,13 @@
+# Remove insecure MACs (Message Authentication Codes). Note the leading '-'.
+MACs -*md5*,*-64*,*sha1*
+# Allows user 'root' to use ssh always.
+# This should prevent lockout because access is allowed without group membership.
+#    For details see: https://serverfault.com/questions/617081/how-to-use-both-allowgroups-and-allowusers-in-sshd-config 
+AllowUsers root
+# 1. Create custom group 'ssh_login' of type system if not exist:
+#    - addgroup --system "ssh_login"
+# 2. Additionally allow users of group 'ssh_login' to use ssh only:
+#    - adduser "${USER}" "ssh_login"
+Match group ssh_login
+    AllowUsers *
+    PasswordAuthentication no

definitions/default/core/all/etc/sudoers.d/allow-jenkins-updateRepositories

@@ -0,0 +1,6 @@
+Cmnd_Alias C_JENKINS = \
+  /cis/updateRepositories.sh --core, \
+  /cis/updateRepositories.sh --scripts, \
+  /cis/updateRepositories.sh --definitions, \
+  /cis/updateRepositories.sh --states
+jenkins ALL = (root) NOPASSWD: C_JENKINS

setupCoreOntoThisHost.sh

@@ -216,8 +216,27 @@ function setup() {
     return 1
 }
 
-# sanitizes all parameters
-setup "$(echo ${1} | sed -E 's|[^a-zA-Z0-9/:@._-]*||g')" \
-    && exit 0
+function isValid() {
+    # printf '%s'
+    #  - always treats the contents of ${1} as pure plain text.
+    # grep -qE: checks RegExp, but quiet
+    printf '%s' "${1}" | grep -qE "${2:?"isValid(): Missing REGEXP"}"
+}
+
+function isValidOptional() {
+    [ -z "${1}" ] || isValid "${1}" "${2}"
+}
+
+
+
+# Parameter 1: Only alphanumeric characters allowed and [.-] if not leading (due to: -oProxyCommand=...).
+if isValidOptional "${1}" '^[a-zA-Z0-9][a-zA-Z0-9.-]*$'
+then
+    setup "${1}" \
+        && exit 0
+else
+    echo "Failure: At least one parameter is invalid" >&2
+    exit 1
+fi
 
 exit 1

updateRepositories.sh

@@ -73,8 +73,27 @@ function update_repositories() {
     return 1
 }
 
-# sanitizes all parameters
-update_repositories "$(echo ${1} | sed -E 's|[^a-zA-Z0-9/:@._-]*||g')" \
-    && exit 0
+function isValid() {
+    # printf '%s'
+    #  - always treats the contents of ${1} as pure plain text.
+    # grep -qE: checks RegExp, but quiet
+    printf '%s' "${1}" | grep -qE "${2:?"isValid(): Missing REGEXP"}"
+}
+
+function isValidOptional() {
+    [ -z "${1}" ] || isValid "${1}" "${2}"
+}
+
+
+
+# Parameter 1: Only one of these values are allowed (--core, --definitions, --repair, --scripts, --states, --test)
+if isValidOptional "${1}" '^(--core|--definitions|--repair|--scripts|--states|--test)$'
+then
+    update_repositories "${1}" \
+        && exit 0
+else
+    echo "Failure: At least one parameter is invalid" >&2
+    exit 1
+fi
 
 exit 1