mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-01-04 00:30:48 -05:00
spelling
This commit is contained in:
parent
9a387f95e9
commit
821a416fe3
308
README.md
308
README.md
@ -5,8 +5,8 @@
|
||||
This section is inspired by the Kernel Self Protection Project (KSPP). It
|
||||
implements all recommended Linux kernel settings by the KSPP and many more.
|
||||
|
||||
- https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
|
||||
- https://kspp.github.io/Recommended_Settings
|
||||
- https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
|
||||
- https://kspp.github.io/Recommended_Settings
|
||||
|
||||
### sysctl
|
||||
|
||||
@ -16,88 +16,88 @@ configuration file.
|
||||
Significant hardening is applied by default to a myriad of components within kernel
|
||||
space, user space, core dumps, and swap space.
|
||||
|
||||
- Restrict access to kernel addresses through the us of kernel pointers regardless
|
||||
of user privileges.
|
||||
- Restrict access to kernel addresses through the use of kernel pointers regardless
|
||||
of user privileges.
|
||||
|
||||
- Restrict access to the kernel logs to `CAP_SYSLOG` as the often contain
|
||||
sensitive information.
|
||||
- Restrict access to the kernel logs to `CAP_SYSLOG` as they often contain
|
||||
sensitive information.
|
||||
|
||||
- Prevent kernel information leaks in the console during boot.
|
||||
- Prevent kernel information leaks in the console during boot.
|
||||
|
||||
- Restrict eBPF access to `CAP_BPF` and enable associated JIT compiler hardening.
|
||||
- Restrict eBPF access to `CAP_BPF` and enable associated JIT compiler hardening.
|
||||
|
||||
- Restrict loading TTY line disciplines to `CAP_SYS_MODULE`.
|
||||
- Restrict loading TTY line disciplines to `CAP_SYS_MODULE`.
|
||||
|
||||
- Restricts the `userfaultfd()` syscall to `CAP_SYS_PTRACE` which reduces the
|
||||
likelihood of use-after-free exploits.
|
||||
- Restrict the `userfaultfd()` syscall to `CAP_SYS_PTRACE`, which reduces the
|
||||
likelihood of use-after-free exploits.
|
||||
|
||||
- Disable `kexec` as it can be used to replace the running kernel.
|
||||
- Disable `kexec` as it can be used to replace the running kernel.
|
||||
|
||||
- Entirely disables the SysRq key so that the Secure Attention Key (SAK)
|
||||
can no longer be utilised. See [documentation](https://www.kicksecure.com/wiki/SysRq).
|
||||
- Entirely disable the SysRq key so that the Secure Attention Key (SAK)
|
||||
can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq).
|
||||
|
||||
- Provide the option to disable unprivileged user namespaces as they can lead to
|
||||
substantial privilege escalation.
|
||||
- Provide the option to disable unprivileged user namespaces as they can lead to
|
||||
substantial privilege escalation.
|
||||
|
||||
- Restrict kernel profiling and the performance events system to `CAP_PERFMON`.
|
||||
- Restrict kernel profiling and the performance events system to `CAP_PERFMON`.
|
||||
|
||||
- Randomise the addresses (ASLR) for mmap base, stack, VDSO pages, and heap.
|
||||
- Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap.
|
||||
|
||||
- Disable asynchronous I/O (when using Linux kernel version >= 6.6).
|
||||
- Disable asynchronous I/O (when using Linux kernel version >= 6.6).
|
||||
|
||||
- Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it
|
||||
enables programs to inspect and modify other active processes. Provide the
|
||||
option to also entirely disable the use of `ptrace()` for all processes.
|
||||
- Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it
|
||||
enables programs to inspect and modify other active processes. Provide the
|
||||
option to entirely disable the use of `ptrace()` for all processes.
|
||||
|
||||
- Prevent hardlink and symlink TOCTOU races in world-writable directories.
|
||||
- Prevent hardlink and symlink TOCTOU races in world-writable directories.
|
||||
|
||||
- Disallow unintentional writes to files in world-writable directories unless
|
||||
they are owned by the directory owner to mitigate some data spoofing attacks.
|
||||
- Disallow unintentional writes to files in world-writable directories unless
|
||||
they are owned by the directory owner to mitigate some data spoofing attacks.
|
||||
|
||||
- Increase the maximum number of memory map areas a process is able to utilise.
|
||||
- Increase the maximum number of memory map areas a process is able to utilize.
|
||||
|
||||
- Disable core dump files and prevent their creation. If core dump files are
|
||||
enabled, they will be named based on `core.PID` instead of the default `core`.
|
||||
- Disable core dump files and prevent their creation. If core dump files are
|
||||
enabled, they will be named based on `core.PID` instead of the default `core`.
|
||||
|
||||
- Limit the copying of potentially sensitive content in memory to the swap device.
|
||||
- Limit the copying of potentially sensitive content in memory to the swap device.
|
||||
|
||||
Various networking components of the TCP/IP stack are hardened for IPv4/6.
|
||||
|
||||
- Enable TCP SYN cookie protection to assist against SYN flood attacks.
|
||||
- Enable TCP SYN cookie protection to assist against SYN flood attacks.
|
||||
|
||||
- Protect against TCP time-wait assassination hazards.
|
||||
- Protect against TCP time-wait assassination hazards.
|
||||
|
||||
- Enables reverse path filtering (source validation) of packets received
|
||||
from all interfaces to prevent IP spoofing.
|
||||
- Enable reverse path filtering (source validation) of packets received
|
||||
from all interfaces to prevent IP spoofing.
|
||||
|
||||
- Disable ICMP redirect acceptance and redirect sending messages to
|
||||
prevent man-in-the-middle attacks and minimise information disclosure.
|
||||
- Disable ICMP redirect acceptance and redirect sending messages to
|
||||
prevent man-in-the-middle attacks and minimize information disclosure.
|
||||
|
||||
- Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks.
|
||||
- Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks.
|
||||
|
||||
- Ignore bogus ICMP error responses.
|
||||
- Ignore bogus ICMP error responses.
|
||||
|
||||
- Disable source routing which allows users redirect network traffic that
|
||||
can result in man-in-the-middle attacks.
|
||||
- Disable source routing which allows users to redirect network traffic that
|
||||
can result in man-in-the-middle attacks.
|
||||
|
||||
- Do not accept IPv6 router advertisements and solicitations.
|
||||
- Do not accept IPv6 router advertisements and solicitations.
|
||||
|
||||
- Provide the option to disable SACK and DSACK as they have historically been
|
||||
a known vector for exploitation.
|
||||
- Provide the option to disable SACK and DSACK as they have historically been
|
||||
a known vector for exploitation.
|
||||
|
||||
- Disable TCP timestamps as it can allow detecting the system time.
|
||||
- Disable TCP timestamps as they can allow detecting the system time.
|
||||
|
||||
- Provide the option to log of packets with impossible source or destination
|
||||
addresses to enable further inspection and analysis.
|
||||
- Provide the option to log packets with impossible source or destination
|
||||
addresses to enable further inspection and analysis.
|
||||
|
||||
- Provide the option to enable IPv6 Privacy Extensions.
|
||||
- Provide the option to enable IPv6 Privacy Extensions.
|
||||
|
||||
### mmap ASLR
|
||||
|
||||
- The bits of entropy used for mmap ASLR are maxed out via
|
||||
`/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of
|
||||
`CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX`
|
||||
that the kernel was built with), therefore improving its effectiveness.
|
||||
- The bits of entropy used for mmap ASLR are maxed out via
|
||||
`/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of
|
||||
`CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX`
|
||||
that the kernel was built with), therefore improving its effectiveness.
|
||||
|
||||
### Boot parameters
|
||||
|
||||
@ -109,45 +109,45 @@ Boot parameters relating to kernel hardening, DMA mitigations, and entropy
|
||||
generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg`
|
||||
configuration file.
|
||||
|
||||
- Disable merging of slabs with similar size which reduces the risk of
|
||||
triggering heap overflows and limits influencing slab cache layout.
|
||||
- Disable merging of slabs with similar size, which reduces the risk of
|
||||
triggering heap overflows and limits influencing slab cache layout.
|
||||
|
||||
- Enable memory zeroing at both allocation and free time which mitigate some
|
||||
use-after-free vulnerabilities by erasing sensitive information in memory.
|
||||
- Enable memory zeroing at both allocation and free time, which mitigates some
|
||||
use-after-free vulnerabilities by erasing sensitive information in memory.
|
||||
|
||||
- Enable the kernel page allocator to randomise free lists to limit some data
|
||||
exfiltration and ROP attacks especially during the early boot process.
|
||||
- Enable the kernel page allocator to randomize free lists to limit some data
|
||||
exfiltration and ROP attacks, especially during the early boot process.
|
||||
|
||||
- Enable kernel page table isolation increase KASLR effectiveness and also
|
||||
mitigate the Meltdown CPU vulnerability.
|
||||
- Enable kernel page table isolation to increase KASLR effectiveness and also
|
||||
mitigate the Meltdown CPU vulnerability.
|
||||
|
||||
- Enables randomisation of the kernel stack offset on syscall entries to harden
|
||||
against memory corruption attacks.
|
||||
- Enable randomization of the kernel stack offset on syscall entries to harden
|
||||
against memory corruption attacks.
|
||||
|
||||
- Disable vsyscalls as they are vulnerable to ROP attacks and have now been
|
||||
replaced by vDSO.
|
||||
- Disable vsyscalls as they are vulnerable to ROP attacks and have now been
|
||||
replaced by vDSO.
|
||||
|
||||
- Restrict access to debugfs by not registering the file system since it can
|
||||
contain sensitive information.
|
||||
- Restrict access to debugfs by not registering the file system since it can
|
||||
contain sensitive information.
|
||||
|
||||
- Force kernel panics on "oopses" to potentially indicate and thwart certain
|
||||
kernel exploitation attempts.
|
||||
- Force kernel panics on "oopses" to potentially indicate and thwart certain
|
||||
kernel exploitation attempts.
|
||||
|
||||
- Provide option to modify machine check exception handler.
|
||||
- Provide option to modify machine check exception handler.
|
||||
|
||||
- Provide option to disable support for all x86 processes and syscalls to reduce
|
||||
attack surface (when using Linux kernel version >= 6.7).
|
||||
- Provide option to disable support for all x86 processes and syscalls to reduce
|
||||
attack surface (when using Linux kernel version >= 6.7).
|
||||
|
||||
- Enable strict IOMMU translation to protect against DMA attacks and disable
|
||||
the busmaster bit on all PCI bridges during the early boot process.
|
||||
- Enable strict IOMMU translation to protect against DMA attacks and disable
|
||||
the busmaster bit on all PCI bridges during the early boot process.
|
||||
|
||||
- Do not credit the CPU or bootloader as entropy sources at boot in order to
|
||||
maximise the absolute quantity of entropy in the combined pool.
|
||||
- Do not credit the CPU or bootloader as entropy sources at boot in order to
|
||||
maximize the absolute quantity of entropy in the combined pool.
|
||||
|
||||
- Obtain more entropy at boot from RAM as the runtime memory allocator is
|
||||
being initialised.
|
||||
- Obtain more entropy at boot from RAM as the runtime memory allocator is
|
||||
being initialized.
|
||||
|
||||
- Provide option to disable the entire IPv6 stack to reduce attack surface.
|
||||
- Provide option to disable the entire IPv6 stack to reduce attack surface.
|
||||
|
||||
Disallow sensitive kernel information leaks in the console during boot. See
|
||||
the `/etc/default/grub.d/41_quiet_boot.cfg` configuration file.
|
||||
@ -156,20 +156,20 @@ the `/etc/default/grub.d/41_quiet_boot.cfg` configuration file.
|
||||
|
||||
#### Kernel Module Signature Verification
|
||||
|
||||
Not yet due to issues:
|
||||
Not yet implemented due to issues:
|
||||
|
||||
- https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/64
|
||||
- https://github.com/dell/dkms/issues/359
|
||||
- https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/64
|
||||
- https://github.com/dell/dkms/issues/359
|
||||
|
||||
See:
|
||||
|
||||
- `/etc/default/grub.d/40_signed_modules.cfg`
|
||||
- `/etc/default/grub.d/40_signed_modules.cfg`
|
||||
|
||||
#### Disables the loading of new modules to the kernel after the fact
|
||||
|
||||
Not yet due to issues:
|
||||
Not yet implemented due to issues:
|
||||
|
||||
- https://github.com/Kicksecure/security-misc/pull/152
|
||||
- https://github.com/Kicksecure/security-misc/pull/152
|
||||
|
||||
A systemd service dynamically sets the kernel parameter `modules_disabled` to 1,
|
||||
preventing new modules from being loaded. Since this isn't configured directly
|
||||
@ -186,47 +186,47 @@ Certain kernel modules are blacklisted by default to reduce attack surface via
|
||||
`/etc/modprobe.d/30_security-misc_blacklist.conf`. Blacklisting prevents kernel
|
||||
modules from automatically starting.
|
||||
|
||||
- CD-ROM/DVD: Blacklist modules required for CD-ROM/DVD devices.
|
||||
- CD-ROM/DVD: Blacklist modules required for CD-ROM/DVD devices.
|
||||
|
||||
- Framebuffer Drivers: Blacklisted as they are well-known to be buggy, cause
|
||||
kernel panics, and are generally only used by legacy devices.
|
||||
- Framebuffer Drivers: Blacklisted as they are well-known to be buggy, cause
|
||||
kernel panics, and are generally only used by legacy devices.
|
||||
|
||||
- Miscellaneous: Blacklist an assortment other modules to prevent them from
|
||||
automatically loading.
|
||||
- Miscellaneous: Blacklist an assortment of other modules to prevent them from
|
||||
automatically loading.
|
||||
|
||||
Specific kernel modules are entirely disabled to reduce attack surface via
|
||||
`/etc/modprobe.d/30_security-misc_disable.conf`. Disabling prohibits kernel
|
||||
modules from starting. This approach should not be considered comprehensive,
|
||||
rather it is a form of badness enumeration. Any potential candidates for future
|
||||
modules from starting. This approach should not be considered comprehensive;
|
||||
rather, it is a form of badness enumeration. Any potential candidates for future
|
||||
disabling should first be blacklisted for a suitable amount of time.
|
||||
|
||||
- File Systems: Disable uncommon and legacy file systems.
|
||||
- File Systems: Disable uncommon and legacy file systems.
|
||||
|
||||
- FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks.
|
||||
- FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks.
|
||||
|
||||
- GPS: Disable GPS-related modules such as those required for Global Navigation
|
||||
Satellite Systems (GNSS).
|
||||
- GPS: Disable GPS-related modules such as those required for Global Navigation
|
||||
Satellite Systems (GNSS).
|
||||
|
||||
- Not yet enabled: Intel Management Engine (ME): Provides some disabling of the interface between the
|
||||
Intel ME and the OS. See discussion: https://github.com/Kicksecure/security-misc/issues/239
|
||||
- Not yet enabled: Intel Management Engine (ME): Provides some disabling of the interface between the
|
||||
Intel ME and the OS. See discussion: https://github.com/Kicksecure/security-misc/issues/239
|
||||
|
||||
- Intel Platform Monitoring Technology Telemetry (PMT): Disable some functionality
|
||||
of the Intel PMT components.
|
||||
- Intel Platform Monitoring Technology Telemetry (PMT): Disable some functionality
|
||||
of the Intel PMT components.
|
||||
|
||||
- Network File Systems: Disable uncommon and legacy network file systems.
|
||||
- Network File Systems: Disable uncommon and legacy network file systems.
|
||||
|
||||
- Network Protocols: Wide array of uncommon and legacy network protocols are disabled.
|
||||
- Network Protocols: A wide array of uncommon and legacy network protocols are disabled.
|
||||
|
||||
- Miscellaneous: Disable an assortment other modules such as those required
|
||||
for amateur radio, floppy disks, and vivid.
|
||||
- Miscellaneous: Disable an assortment of other modules such as those required
|
||||
for amateur radio, floppy disks, and vivid.
|
||||
|
||||
- Thunderbolt: Disabled as they are often vulnerable to DMA attacks.
|
||||
- Thunderbolt: Disabled as they are often vulnerable to DMA attacks.
|
||||
|
||||
### Other
|
||||
|
||||
- A systemd service clears the System.map file on boot as these contain kernel
|
||||
pointers. The file is completely overwritten with zeroes to ensure it cannot
|
||||
be recovered. See:
|
||||
- A systemd service clears the System.map file on boot as these contain kernel
|
||||
pointers. The file is completely overwritten with zeroes to ensure it cannot
|
||||
be recovered. See:
|
||||
|
||||
`/etc/kernel/postinst.d/30_remove-system-map`
|
||||
|
||||
@ -234,8 +234,8 @@ disabling should first be blacklisted for a suitable amount of time.
|
||||
|
||||
`/usr/libexec/security-misc/remove-system.map`
|
||||
|
||||
- Coredumps are disabled as they may contain important information such as
|
||||
encryption keys or passwords. See:
|
||||
- Coredumps are disabled as they may contain important information such as
|
||||
encryption keys or passwords. See:
|
||||
|
||||
`/etc/security/limits.d/30_security-misc.conf`
|
||||
|
||||
@ -243,34 +243,34 @@ disabling should first be blacklisted for a suitable amount of time.
|
||||
|
||||
`/lib/systemd/coredump.conf.d/30_security-misc.conf`
|
||||
|
||||
- An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and
|
||||
`/etc/sysctl.d` before init is executed so sysctl hardening is enabled as
|
||||
early as possible. This is implemented for `initramfs-tools` only because
|
||||
this is not needed for `dracut` because `dracut` does that by default, at
|
||||
least on `systemd` enabled systems. Not researched for non-`systemd` systems
|
||||
by the author of this part of the readme.
|
||||
- An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and
|
||||
`/etc/sysctl.d` before init is executed so sysctl hardening is enabled as
|
||||
early as possible. This is implemented for `initramfs-tools` only because
|
||||
this is not needed for `dracut` as `dracut` does that by default, at
|
||||
least on `systemd` enabled systems. Not researched for non-`systemd` systems
|
||||
by the author of this part of the readme.
|
||||
|
||||
## Network hardening
|
||||
|
||||
Not yet due to issues:
|
||||
Not yet implemented due to issues:
|
||||
|
||||
- https://github.com/Kicksecure/security-misc/pull/145
|
||||
- https://github.com/Kicksecure/security-misc/pull/145
|
||||
|
||||
- https://github.com/Kicksecure/security-misc/issues/184
|
||||
- https://github.com/Kicksecure/security-misc/issues/184
|
||||
|
||||
- Unlike version 4, IPv6 addresses can provide information not only about the
|
||||
originating network, but also the originating device. We prevent this from
|
||||
happening by enabling the respective privacy extensions for IPv6.
|
||||
- Unlike version 4, IPv6 addresses can provide information not only about the
|
||||
originating network but also the originating device. We prevent this from
|
||||
happening by enabling the respective privacy extensions for IPv6.
|
||||
|
||||
- In addition, we deny the capability to track the originating device in the
|
||||
network at all, by using randomized MAC addresses per connection per
|
||||
default.
|
||||
- In addition, we deny the capability to track the originating device in the
|
||||
network at all, by using randomized MAC addresses per connection by
|
||||
default.
|
||||
|
||||
See:
|
||||
|
||||
- `/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf`
|
||||
- `/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf`
|
||||
- `/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf`
|
||||
- `/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf`
|
||||
- `/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf`
|
||||
- `/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf`
|
||||
|
||||
## Bluetooth Hardening
|
||||
|
||||
@ -303,16 +303,16 @@ See:
|
||||
|
||||
## Entropy collection improvements
|
||||
|
||||
- The `jitterentropy_rng` kernel module is loaded as early as possible during
|
||||
boot to gather more entropy via the
|
||||
`/usr/lib/modules-load.d/30_security-misc.conf` configuration file.
|
||||
- The `jitterentropy_rng` kernel module is loaded as early as possible during
|
||||
boot to gather more entropy via the
|
||||
`/usr/lib/modules-load.d/30_security-misc.conf` configuration file.
|
||||
|
||||
- Distrusts the CPU for initial entropy at boot as it is not possible to
|
||||
audit, may contain weaknesses or a backdoor. Similarly, do not credit the
|
||||
bootloader seed for initial entropy. For references, see:
|
||||
`/etc/default/grub.d/40_kernel_hardening.cfg`
|
||||
- Distrusts the CPU for initial entropy at boot as it is not possible to
|
||||
audit, may contain weaknesses or a backdoor. Similarly, do not credit the
|
||||
bootloader seed for initial entropy. For references, see:
|
||||
`/etc/default/grub.d/40_kernel_hardening.cfg`
|
||||
|
||||
- Gathers more entropy during boot if using the linux-hardened kernel patch.
|
||||
- Gathers more entropy during boot if using the linux-hardened kernel patch.
|
||||
|
||||
## Restrictive mount options
|
||||
|
||||
@ -320,44 +320,44 @@ A systemd service is triggered on boot to remount all sensitive partitions and
|
||||
directories with significantly more secure hardened mount options. Since this
|
||||
would require manual tuning for a given specific system, we handle it by
|
||||
creating a very solid configuration file for that very system on package
|
||||
install.
|
||||
installation.
|
||||
|
||||
Not enabled by default yet. In development. Help welcome.
|
||||
|
||||
- https://www.kicksecure.com/wiki/Dev/remount-secure
|
||||
- https://github.com/Kicksecure/security-misc/issues/157
|
||||
- https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/
|
||||
- https://www.kicksecure.com/wiki/Dev/remount-secure
|
||||
- https://github.com/Kicksecure/security-misc/issues/157
|
||||
- https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/
|
||||
|
||||
## Root access restrictions
|
||||
|
||||
- `su` is restricted to only users within the group `sudo` which prevents
|
||||
users from using `su` to gain root access or to switch user accounts -
|
||||
`/usr/share/pam-configs/wheel-security-misc` (which results in a change in
|
||||
file `/etc/pam.d/common-auth`).
|
||||
- `su` is restricted to only users within the group `sudo` which prevents
|
||||
users from using `su` to gain root access or to switch user accounts -
|
||||
`/usr/share/pam-configs/wheel-security-misc` (which results in a change in
|
||||
file `/etc/pam.d/common-auth`).
|
||||
|
||||
- Add user `root` to group `sudo`. This is required due to the above
|
||||
restriction so that logging in from a virtual console is still possible -
|
||||
`debian/security-misc.postinst`
|
||||
- Add user `root` to group `sudo`. This is required due to the above
|
||||
restriction so that logging in from a virtual console is still possible -
|
||||
`debian/security-misc.postinst`
|
||||
|
||||
- Abort login for users with locked passwords -
|
||||
`/usr/libexec/security-misc/pam-abort-on-locked-password`.
|
||||
- Abort login for users with locked passwords -
|
||||
`/usr/libexec/security-misc/pam-abort-on-locked-password`.
|
||||
|
||||
- Logging into the root account from a virtual, serial, whatnot console is
|
||||
prevented by shipping an existing and empty `/etc/securetty` file (deletion
|
||||
of `/etc/securetty` has a different effect).
|
||||
- Logging into the root account from a virtual, serial, or other console is
|
||||
prevented by shipping an existing and empty `/etc/securetty` file (deletion
|
||||
of `/etc/securetty` has a different effect).
|
||||
|
||||
This package does not yet automatically lock the root account password. It is
|
||||
not clear if this would be sane in such a package although, it is recommended to
|
||||
not clear if this would be sane in such a package, although it is recommended to
|
||||
lock and expire the root account.
|
||||
|
||||
In new Kicksecure builds, root account will be locked by package
|
||||
In new Kicksecure builds, the root account will be locked by package
|
||||
dist-base-files.
|
||||
|
||||
See:
|
||||
|
||||
- https://www.kicksecure.com/wiki/Root
|
||||
- https://www.kicksecure.com/wiki/Dev/Permissions
|
||||
- https://forums.whonix.org/t/restrict-root-access/7658
|
||||
- https://www.kicksecure.com/wiki/Root
|
||||
- https://www.kicksecure.com/wiki/Dev/Permissions
|
||||
- https://forums.whonix.org/t/restrict-root-access/7658
|
||||
|
||||
However, a locked root password will break rescue and emergency shell.
|
||||
Therefore, this package enables passwordless rescue and emergency shell. This is
|
||||
|
Loading…
Reference in New Issue
Block a user