Console Lockdown.

Allow members of group 'console' to use tty1 to tty7. Everyone else except
members of group 'console-unrestricted' are restricted from using console
using ancient, unpopular login methods such as using /bin/login over networks,
which might be exploitable. (CVE-2001-0797)

Not enabled by default in this package since this package does not know which
users shall be added to group 'console'.

In new Whonix builds, user 'user" will be added to group 'console' and
pam console-lockdown enabled by package anon-base-files.

/usr/share/pam-configs/console-lockdown

/etc/security/access-security-misc.conf

https://forums.whonix.org/t/etc-security-hardening/8592

debian/control

@@ -171,6 +171,18 @@ Description: enhances misc security settings
  prevented by shipping an existing and empty /etc/securetty.
  (Deletion of /etc/securetty has a different effect.)
  /etc/securetty.security-misc
+ .
+  * Console Lockdown.
+ Allow members of group 'console' to use tty1 to tty7. Everyone else except
+ members of group 'console-unrestricted' are restricted from using console
+ using ancient, unpopular login methods such as using /bin/login over networks,
+ which might be exploitable. (CVE-2001-0797)
+ Not enabled by default in this package since this package does not know which
+ users shall be added to group 'console'.
+ In new Whonix builds, user 'user" will be added to group 'console' and
+ pam console-lockdown enabled by package anon-base-files.
+ /usr/share/pam-configs/console-lockdown
+ /etc/security/access-security-misc.conf
  .
  Protect Linux user accounts against brute force attacks.
  Lock user accounts after 50 failed login attempts using pam_tally2.

debian/security-misc.postinst

@@ -32,6 +32,10 @@ esac
 addgroup root sudo
 addgroup --system sysfs
 addgroup --system cpuinfo
+addgroup --system console
+addgroup --system console-unrestricted
+
+addgroup root console
 
 pam-auth-update --package