security-misc/etc/security/access-security-misc.conf

## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

## Console Lockdown
## https://forums.whonix.org/t/etc-security-hardening/8592

## This is the error message should this fail:
## sudo su
## sudo: PAM account management error: Permission denied

## see also:
## man access.conf
## man pam_access

## Usually tty7 is for X.
## Qubes uses tty1 for X.

## Allow members of group 'console' to use tty1 to tty7 and pts/0 to pts/9.
## Qubes has 'pts/0'.
+:console:tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9

## Everyone else except members of group 'console-unrestricted'
## are restricted from everything else.
-:ALL EXCEPT console-unrestricted :ALL
Console Lockdown. Allow members of group 'console' to use tty1 to tty7. Everyone else except members of group 'console-unrestricted' are restricted from using console using ancient, unpopular login methods such as using /bin/login over networks, which might be exploitable. (CVE-2001-0797) Not enabled by default in this package since this package does not know which users shall be added to group 'console'. In new Whonix builds, user 'user" will be added to group 'console' and pam console-lockdown enabled by package anon-base-files. /usr/share/pam-configs/console-lockdown /etc/security/access-security-misc.conf https://forums.whonix.org/t/etc-security-hardening/8592 2019-12-07 05:40:20 -05:00			`## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>`
			`## See the file COPYING for copying conditions.`

			`## Console Lockdown`
			`## https://forums.whonix.org/t/etc-security-hardening/8592`

comment 2019-12-07 05:52:06 -05:00			`## This is the error message should this fail:`
			`## sudo su`
			`## sudo: PAM account management error: Permission denied`

Console Lockdown. Allow members of group 'console' to use tty1 to tty7. Everyone else except members of group 'console-unrestricted' are restricted from using console using ancient, unpopular login methods such as using /bin/login over networks, which might be exploitable. (CVE-2001-0797) Not enabled by default in this package since this package does not know which users shall be added to group 'console'. In new Whonix builds, user 'user" will be added to group 'console' and pam console-lockdown enabled by package anon-base-files. /usr/share/pam-configs/console-lockdown /etc/security/access-security-misc.conf https://forums.whonix.org/t/etc-security-hardening/8592 2019-12-07 05:40:20 -05:00			`## see also:`
			`## man access.conf`
			`## man pam_access`

			`## Usually tty7 is for X.`
			`## Qubes uses tty1 for X.`

add pts/0 to pts/9 2019-12-07 05:56:57 -05:00			`## Allow members of group 'console' to use tty1 to tty7 and pts/0 to pts/9.`
			`## Qubes has 'pts/0'.`
			`+:console:tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9`
Console Lockdown. Allow members of group 'console' to use tty1 to tty7. Everyone else except members of group 'console-unrestricted' are restricted from using console using ancient, unpopular login methods such as using /bin/login over networks, which might be exploitable. (CVE-2001-0797) Not enabled by default in this package since this package does not know which users shall be added to group 'console'. In new Whonix builds, user 'user" will be added to group 'console' and pam console-lockdown enabled by package anon-base-files. /usr/share/pam-configs/console-lockdown /etc/security/access-security-misc.conf https://forums.whonix.org/t/etc-security-hardening/8592 2019-12-07 05:40:20 -05:00
			`## Everyone else except members of group 'console-unrestricted'`
			`## are restricted from everything else.`
			`-:ALL EXCEPT console-unrestricted :ALL`