Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-01-25 23:35:58 -05:00
Code Issues Packages Projects Releases Wiki Activity

Console Lockdown.

Browse Source 
Allow members of group 'console' to use tty1 to tty7. Everyone else except
members of group 'console-unrestricted' are restricted from using console
using ancient, unpopular login methods such as using /bin/login over networks,
which might be exploitable. (CVE-2001-0797)

Not enabled by default in this package since this package does not know which
users shall be added to group 'console'.

In new Whonix builds, user 'user" will be added to group 'console' and
pam console-lockdown enabled by package anon-base-files.

/usr/share/pam-configs/console-lockdown

/etc/security/access-security-misc.conf

https://forums.whonix.org/t/etc-security-hardening/8592
This commit is contained in:
Patrick Schleizer 2019-12-07 05:40:20 -05:00
parent 52934c9288
commit 6479c883bf
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
4 changed files with 41 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
debian/control vendored
View File

@ -171,6 +171,18 @@ Description: enhances misc security settings
prevented by shipping an existing and empty /etc/securetty. prevented by shipping an existing and empty /etc/securetty.
(Deletion of /etc/securetty has a different effect.) (Deletion of /etc/securetty has a different effect.)
/etc/securetty.security-misc /etc/securetty.security-misc
.
* Console Lockdown.
Allow members of group 'console' to use tty1 to tty7. Everyone else except
members of group 'console-unrestricted' are restricted from using console
using ancient, unpopular login methods such as using /bin/login over networks,
which might be exploitable. (CVE-2001-0797)
Not enabled by default in this package since this package does not know which
users shall be added to group 'console'.
In new Whonix builds, user 'user" will be added to group 'console' and
pam console-lockdown enabled by package anon-base-files.
/usr/share/pam-configs/console-lockdown
/etc/security/access-security-misc.conf
. .
Protect Linux user accounts against brute force attacks. Protect Linux user accounts against brute force attacks.
Lock user accounts after 50 failed login attempts using pam_tally2. Lock user accounts after 50 failed login attempts using pam_tally2.

4
debian/security-misc.postinst vendored
View File

@ -32,6 +32,10 @@ esac
addgroup root sudo addgroup root sudo
addgroup --system sysfs addgroup --system sysfs
addgroup --system cpuinfo addgroup --system cpuinfo
addgroup --system console
addgroup --system console-unrestricted
addgroup root console
pam-auth-update --package pam-auth-update --package

19
etc/security/access-security-misc.conf Normal file
View File

@ -0,0 +1,19 @@
## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
## Console Lockdown
## https://forums.whonix.org/t/etc-security-hardening/8592
## see also:
## man access.conf
## man pam_access
## Usually tty7 is for X.
## Qubes uses tty1 for X.
## Allow members of group 'console' to use tty1 to tty7.
+:console:tty1 tty2 tty3 tty4 tty5 tty6 tty7
## Everyone else except members of group 'console-unrestricted'
## are restricted from everything else.
-:ALL EXCEPT console-unrestricted :ALL

6
usr/share/pam-configs/console-lockdown Normal file
View File

@ -0,0 +1,6 @@
Name: allow only members of group console to login (by package security-misc)
Default: no
Priority: 280
Account-Type: Primary
Account:
required pam_access.so accessfile=/etc/security/access-security-misc.conf debug