diff --git a/README.md b/README.md index 643e5ad..19a001a 100644 --- a/README.md +++ b/README.md @@ -40,6 +40,9 @@ KASLR effectiveness. * The SysRq key is restricted to only allow shutdowns/reboots. A systemd service clears System.map on boot as these contain kernel symbols that could be useful to an attacker. +/etc/kernel/postinst.d/30_remove-system-map +/lib/systemd/system/remove-system-map.service +/usr/lib/security-misc/remove-system.map * Coredumps are disabled as they may contain important information such as encryption keys or passwords. @@ -52,6 +55,11 @@ for DMA (Direct Memory Access) attacks. * The kernel now panics on oopses to prevent it from continuing running a flawed process. +Requires every module to be signed before being loaded. Any module that is +unsigned or signed with an invalid key cannot be loaded. This makes it harder +to load a malicious module. +/etc/default/grub.d/40_only_allow_signed_modules.cfg + Uncommon network protocols are blacklisted: These are rarely used and may have unknown vulnerabilities. /etc/modprobe.d/uncommon-network-protocols.conf @@ -91,7 +99,7 @@ restricts access to the root account: * `su` is restricted to only users within the group `sudo` which prevents users from using `su` to gain root access or to switch user accounts. -/usr/share/pam-configs/security-misc +/usr/share/pam-configs/wheel-security-misc (Which results in a change in file `/etc/pam.d/common-auth`.) * Add user `root` to group `sudo`. This is required to make above work so @@ -99,33 +107,49 @@ login as a user in a virtual console is still possible. debian/security-misc.postinst * Lock user accounts after 5 failed login attempts using pam_tally2. -/usr/share/pam-configs/security-misc +/usr/share/pam-configs/tally2-security-misc * Logging into the root account from a virtual, serial, whatnot console is prevented by shipping an existing and empty /etc/securetty. (Deletion of /etc/securetty has a different effect.) /etc/securetty.security-misc +informational output during PAM: + +* Show failed and remaining password attempts. +* Document unlock procedure if Linux user account got locked. +* Point out, that there is no password feedback for `su`. +* Explain locked (root) account if locked. +* /usr/share/pam-configs/tally2-security-misc +* /usr/lib/security-misc/pam_tally2-info + access rights restrictions: * The default umask is changed to 006. This allows only the owner and group to read and write to newly created files. /etc/login.defs.security-misc +/usr/share/pam-configs/usergroups-security-misc * Enables pam_umask.so usergroups so group permissions are same as user permissions. Debian by default uses User Private Groups (UPG). https://wiki.debian.org/UserPrivateGroups -/usr/share/pam-configs/usergroups +/usr/share/pam-configs/usergroups-security-misc + +* Create home directory on login with umask 006 using +pam_mkhomedir.so umask=006 +/usr/share/pam-configs/mkhomedir-security-misc * Removes read, write and execute access for others for all users who have home folders under folder /home by running for example "chmod o-rwx /home/user" -during package installation or upgrade. This will be done only once per folder -in folder /home so users who wish to relax file permissions are free to do so. -This is to protect previously created files in user home folder which were -previously created with lax file permissions prior installation of this +during package installation, upgrade or pam. This will be done only once per +folder in folder /home so users who wish to relax file permissions are free to +do so. This is to protect previously created files in user home folder which +were previously created with lax file permissions prior installation of this package. debian/security-misc.postinst +/usr/share/pam-configs/permission-lockdown-security-misc +/usr/lib/security-misc/permission-lockdown access rights relaxations: @@ -186,16 +210,24 @@ Application specific hardening: * Deactivates thumbnails in Thunar. ## How to install `security-misc` using apt-get ## -1\. Add [Whonix's Signing Key](https://www.whonix.org/wiki/Whonix_Signing_Key). +1\. Download [Whonix's Signing Key](). ``` -sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg adv --keyserver hkp://ipv4.pool.sks-keyservers.net:80 --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA +wget https://www.whonix.org/patrick.asc +``` + +Users can [check Whonix Signing Key](https://www.whonix.org/wiki/Whonix_Signing_Key) for better security. + +2\. Add Whonix's signing key. + +``` +sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg add ~/patrick.asc ``` 3\. Add Whonix's APT repository. ``` -echo "deb http://deb.whonix.org buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list +echo "deb https://deb.whonix.org buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list ``` 4\. Update your package lists. diff --git a/changelog.upstream b/changelog.upstream index 1ebedfc..9fba34d 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,368 @@ +commit a11e3cea9eb160ba84dbc273ea4cb48bc687158f +Author: Patrick Schleizer +Date: Thu Aug 15 15:08:48 2019 +0000 + + readme + +commit ff9bc1d7ea81a8507f44d9bb1301b9665614ebdd +Author: Patrick Schleizer +Date: Thu Aug 15 13:37:28 2019 +0000 + + informational output during PAM: + + * Show failed and remaining password attempts. + * Document unlock procedure if Linux user account got locked. + * Point out, that there is no password feedback for `su`. + * Explain locked (root) account if locked. + * /usr/share/pam-configs/tally2-security-misc + * /usr/lib/security-misc/pam_tally2-info + +commit 454e1358220abf75def0d88a22426086a55c0802 +Author: Patrick Schleizer +Date: Thu Aug 15 07:33:41 2019 +0000 + + pam_tally2.so even_deny_root + +commit 63b476221c7b9ece6b99f9e194fab80e300275d9 +Author: Patrick Schleizer +Date: Thu Aug 15 07:30:56 2019 +0000 + + use requisite rather than required to avoid asking for password needlessly + + if login will fail anyhow + +commit ce4a30d3cecb7e9bddb96c79aab871804cb90bd4 +Author: Patrick Schleizer +Date: Wed Aug 14 11:52:26 2019 +0000 + + bumped changelog version + +commit a7c25a451c78f7b9a5720e1b6fc7d168eb0afa4f +Author: Patrick Schleizer +Date: Wed Aug 14 11:50:53 2019 +0000 + + remove unneeded dependency on libpam-cgfs + +commit 633854c6bec439af9718439c8207012322800166 +Author: Patrick Schleizer +Date: Wed Aug 14 11:13:25 2019 +0000 + + bumped changelog version + +commit 0feb54b28e90b5c4cfcd529914a3892362c34966 +Author: Patrick Schleizer +Date: Wed Aug 14 11:10:18 2019 +0000 + + add Depends: apparmor-profile-anondist to fix apparmor issue + + sudo[19806]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied + sudo[18961]: pam_exec(sudo:session): /usr/lib/security-misc/permission-lockdown failed: exit code 13 + kernel: audit: type=1400 audit(1565780860.972:224): apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=19806 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 + +commit 8fdc77fed553d7ba6123d738b9cb3efe98f3f08f +Author: Patrick Schleizer +Date: Wed Aug 14 10:33:23 2019 +0000 + + output to stdout + +commit 5213cfbcdcb41a5aa714d1031b36436adeb0359c +Author: Patrick Schleizer +Date: Wed Aug 14 10:08:18 2019 +0000 + + bumped changelog version + +commit 2875adb7221769dcd23ef701dae8b9ad24708590 +Author: Patrick Schleizer +Date: Wed Aug 14 10:07:55 2019 +0000 + + readme + +commit 01b3a0bfaeda0dad87644ad8d54c61e07dd501f7 +Author: Patrick Schleizer +Date: Wed Aug 14 09:52:53 2019 +0000 + + description + +commit 547ba91d799780487782cdd8088c556d978494e8 +Author: Patrick Schleizer +Date: Wed Aug 14 09:45:30 2019 +0000 + + sanity test + +commit dee195d89e94ff343cec60308cbbb5464d2a7b18 +Author: Patrick Schleizer +Date: Wed Aug 14 09:40:41 2019 +0000 + + description + +commit 799acad724977dea220c2228f9da0db3d6b5170e +Author: Patrick Schleizer +Date: Wed Aug 14 09:39:43 2019 +0000 + + skip, if not a folder + +commit 6321ff5ad5938a929d4a997b4f1b03db2ac4b5fd +Author: Patrick Schleizer +Date: Wed Aug 14 09:38:44 2019 +0000 + + refactoring + +commit 15094cab4fbbb1fd0c20bd8241ea20bd6c0bd331 +Author: Patrick Schleizer +Date: Wed Aug 14 09:36:30 2019 +0000 + + avoid ' character in usr/share/pam-configs; in description + +commit 97d1945e61053efd3b73fb9f761b3ea1c9271cdc +Author: Patrick Schleizer +Date: Wed Aug 14 09:32:58 2019 +0000 + + no log needed, informative output to stdout instead + +commit a085d46c567b0b5dbbaddd8f3e5873d87d904c4a +Author: Patrick Schleizer +Date: Wed Aug 14 09:31:58 2019 +0000 + + change priories so "pam_umask.so usergroups umask=006" runs before pam_exec.so /usr/lib/security-misc/permission-lockdown + +commit f8c828b69a8f52108d19af4076e718930b5dcd07 +Author: Patrick Schleizer +Date: Wed Aug 14 05:19:02 2019 -0400 + + output + +commit e5da6d9699de1d3c4aaefee7d301a4c47f33e4bd +Author: Patrick Schleizer +Date: Wed Aug 14 05:17:54 2019 -0400 + + copyright + +commit 1595789d7c310c80196345e06b6bacc8fb7c0baf +Author: Patrick Schleizer +Date: Wed Aug 14 05:17:16 2019 -0400 + + comment + +commit ce06fdf91103afbaf84523ce998570af733b5bbe +Author: Patrick Schleizer +Date: Wed Aug 14 05:15:53 2019 -0400 + + formatting + +commit 21489111d107023f150988137180154ba62e1ff2 +Author: Patrick Schleizer +Date: Wed Aug 14 08:34:03 2019 +0000 + + run permission lockdown during pam + + https://forums.whonix.org/t/change-default-umask/7416 + +commit 42f2d5f6664f15baebdaf200a5690cf32cdbe284 +Author: Patrick Schleizer +Date: Wed Aug 14 07:39:28 2019 +0000 + + description + +commit 52df8dc0149d597c3106daa7112a01db444e34f1 +Author: Patrick Schleizer +Date: Wed Aug 14 07:37:21 2019 +0000 + + optional pam_umask.so usergroups umask=006 + +commit f210294f4091b6a09c902a446b125c26022c5d2a +Author: Patrick Schleizer +Date: Wed Aug 14 07:24:24 2019 +0000 + + description + +commit dbea7d1511d8e1b2604960d37146ec931d9dfe15 +Author: Patrick Schleizer +Date: Wed Aug 14 07:22:14 2019 +0000 + + add hook etc/kernel/postinst.d/30_remove-system-map to remove system.map + + on kernel package upgrade; + + self-document this package: during upgrade the following will be written + to stdout: + + Setting up linux-image-4.19.0-5-amd64 (4.19.37-5+deb10u2) ... + /etc/kernel/postinst.d/30_remove-system-map: + removed '/boot/System.map-4.19.0-5-amd64 + +commit f1d8cbc9fb2b800205923cce77a8e242dddd133c +Author: Patrick Schleizer +Date: Wed Aug 14 07:02:09 2019 +0000 + + bumped changelog version + +commit 41f4441d9dc5777d4ea7424f8422164c548da091 +Author: Patrick Schleizer +Date: Wed Aug 14 07:01:47 2019 +0000 + + readme + +commit a82448d46af4fb9dce2de84025b8b820a11fae01 +Author: Patrick Schleizer +Date: Wed Aug 14 07:01:25 2019 +0000 + + description + +commit ff8c0979435b491cf462c5ef6e8e02f6d85f1d81 +Merge: 6f8acf0 a8ea379 +Author: Patrick Schleizer +Date: Wed Aug 14 06:59:50 2019 +0000 + + Merge remote-tracking branch 'origin/master' + +commit a8ea37952669b3f40a452cb580442126ec44233a +Merge: 6f8acf0 9a49b8e +Author: Patrick Schleizer +Date: Wed Aug 14 06:59:34 2019 +0000 + + Merge pull request #28 from madaidan/patch-22 + + Require all loaded kernel modules to be signed with a valid key. + +commit 9a49b8ecbb863a995862a4d380c6a03f6c0991ac +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Tue Aug 13 13:33:07 2019 +0000 + + Create 40_only_allow_signed_modules.cfg + + Require all loaded kernel modules to be signed with a valid key. + +commit 6f8acf06d79c77e3bee15cc8696a433271e2b7c9 +Author: Patrick Schleizer +Date: Sun Aug 11 12:07:07 2019 +0000 + + bumped changelog version + +commit 52cee9128316d649ba7ffa9600d0fdc33c99a9a9 +Author: Patrick Schleizer +Date: Sun Aug 11 11:39:32 2019 +0000 + + readme + +commit aacd9c7679b05b7ee59df484f21a24fe7aa5901d +Author: Patrick Schleizer +Date: Sun Aug 11 10:34:38 2019 +0000 + + description + +commit c0b5c70de498d891e4edd5b9af2292909be36776 +Author: Patrick Schleizer +Date: Sun Aug 11 10:33:22 2019 +0000 + + description + +commit 2f37a66fd009c9cba423c0f95833a71c8669af46 +Author: Patrick Schleizer +Date: Sun Aug 11 10:31:29 2019 +0000 + + description + +commit e83ec79a25d09b2467e2389959d87267bab7f1f0 +Author: Patrick Schleizer +Date: Sun Aug 11 10:30:51 2019 +0000 + + enable usr/share/pam-configs/mkhomedir-security-misc by default + +commit 1eb806a03ef25bb387fa80f45dd6509925437048 +Author: Patrick Schleizer +Date: Sun Aug 11 10:29:49 2019 +0000 + + pam_mkhomedir.so umask=006 + +commit c50eb3c9b07b9e54951eb08206db6d28383f6cdc +Author: Patrick Schleizer +Date: Sun Aug 11 10:28:55 2019 +0000 + + add usr/share/pam-configs/mkhomedir-security-misc based on + /usr/share/pam-configs/mkhomedir + +commit 75769151cd7980042357f18c5567adab2a031049 +Author: Patrick Schleizer +Date: Sat Aug 10 11:37:02 2019 +0000 + + bumped changelog version + +commit a2fa18c38159161418edcdaacb1baad215f5d31d +Author: Patrick Schleizer +Date: Sat Aug 10 07:07:28 2019 -0400 + + pam_tally2.so deny=100 + + during testing, due to issues + + https://github.com/Whonix/security-misc/commit/d17e25272b9b7bbb6abc4dccd500a6b34311a7dd + + https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/12 + +commit d17e25272b9b7bbb6abc4dccd500a6b34311a7dd +Author: Patrick Schleizer +Date: Sat Aug 10 06:06:39 2019 -0400 + + effectively (not directly) add "required pam_tally2.so debug" to /etc/pam.d/common-account + + This is required because otherwise something like "sudo bash" would count as a + failed login for pam_tally2 even though it was successful. + + https://bugzilla.redhat.com/show_bug.cgi?id=707660 + + https://forums.whonix.org/t/restrict-root-access/7658 + +commit 0f896a9d8d6f7c125311a0e226755f8a00214f3c +Author: Patrick Schleizer +Date: Sat Aug 10 06:05:37 2019 -0400 + + add onerr=fail audit to pam_tally2 + +commit a703865dcf736996a58e6f684fc02f0e9dfa8cc7 +Author: Patrick Schleizer +Date: Thu Aug 1 12:02:41 2019 +0000 + + bumped changelog version + +commit 1fe3036a4903588b89edd82e7097a665271fd27f +Author: Patrick Schleizer +Date: Thu Aug 1 11:13:43 2019 +0000 + + readme + +commit e076470f68dc18908c5ab1889232aaaa0fcb9f3d +Author: Patrick Schleizer +Date: Thu Aug 1 11:04:58 2019 +0000 + + renamed: usr/share/pam-configs/usergroups -> usr/share/pam-configs/usergroups-security-misc + +commit 830111e99aa6f45688c4ba00a7f41ea323f15f2a +Author: Patrick Schleizer +Date: Thu Aug 1 11:04:22 2019 +0000 + + split usr/share/pam-configs/security-misc + into + usr/share/pam-configs/tally2-security-misc + usr/share/pam-configs/wheel-security-misc + +commit 5d0aec1321b4f46f1834ba9ad166d2445a995fbb +Author: Patrick Schleizer +Date: Wed Jul 31 19:12:27 2019 +0000 + + bumped changelog version + +commit 89d32402b2dd2182dc6e7788d41708eaaeeb02c1 +Author: Patrick Schleizer +Date: Wed Jul 31 14:52:29 2019 -0400 + + fix, do not use "," inside /usr/share/pam-configs files + +commit 864de10659d0145ae8883b98b1746a7debc9492a +Author: Patrick Schleizer +Date: Wed Jul 31 15:17:51 2019 +0000 + + bumped changelog version + commit 47368ae4fccc85ab3197f07316b03c123187f9a2 Author: Patrick Schleizer Date: Wed Jul 31 15:15:30 2019 +0000 diff --git a/debian/changelog b/debian/changelog index c4fceca..4b43e8e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,57 @@ +security-misc (3:7.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 15 Aug 2019 15:18:02 +0000 + +security-misc (3:7.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 14 Aug 2019 11:52:26 +0000 + +security-misc (3:6.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 14 Aug 2019 11:13:25 +0000 + +security-misc (3:6.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 14 Aug 2019 10:08:18 +0000 + +security-misc (3:6.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 14 Aug 2019 07:02:09 +0000 + +security-misc (3:6.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 11 Aug 2019 12:07:07 +0000 + +security-misc (3:6.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 10 Aug 2019 11:37:02 +0000 + +security-misc (3:6.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 01 Aug 2019 12:02:41 +0000 + +security-misc (3:6.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 31 Jul 2019 19:12:27 +0000 + security-misc (3:6.2-1) unstable; urgency=medium * New upstream version (local package). diff --git a/debian/control b/debian/control index d5756e1..38bad35 100644 --- a/debian/control +++ b/debian/control @@ -13,8 +13,8 @@ Standards-Version: 4.3.0 Package: security-misc Architecture: all -Depends: python, libglib2.0-bin, libpam-runtime, libpam-cgfs, sudo, - ${misc:Depends} +Depends: python, libglib2.0-bin, libpam-runtime, sudo, + apparmor-profile-anondist, ${misc:Depends} Replaces: tcp-timestamps-disable Description: enhances misc security settings kernel hardening: @@ -57,6 +57,9 @@ Description: enhances misc security settings * The SysRq key is restricted to only allow shutdowns/reboots. A systemd service clears System.map on boot as these contain kernel symbols that could be useful to an attacker. + /etc/kernel/postinst.d/30_remove-system-map + /lib/systemd/system/remove-system-map.service + /usr/lib/security-misc/remove-system.map . * Coredumps are disabled as they may contain important information such as encryption keys or passwords. @@ -71,6 +74,11 @@ Description: enhances misc security settings . * Bluetooth is blacklisted to reduce attack surface. Bluetooth also has a history of [security concerns](https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns). + . + * Requires every module to be signed before being loaded. Any module that is + unsigned or signed with an invalid key cannot be loaded. This makes it harder + to load a malicious module. + /etc/default/grub.d/40_only_allow_signed_modules.cfg . Uncommon network protocols are blacklisted: These are rarely used and may have unknown vulnerabilities. @@ -111,7 +119,7 @@ Description: enhances misc security settings . * `su` is restricted to only users within the group `sudo` which prevents users from using `su` to gain root access or to switch user accounts. - /usr/share/pam-configs/security-misc + /usr/share/pam-configs/wheel-security-misc (Which results in a change in file `/etc/pam.d/common-auth`.) . * Add user `root` to group `sudo`. This is required to make above work so @@ -119,33 +127,49 @@ Description: enhances misc security settings debian/security-misc.postinst . * Lock user accounts after 5 failed login attempts using pam_tally2. - /usr/share/pam-configs/security-misc + /usr/share/pam-configs/tally2-security-misc . * Logging into the root account from a virtual, serial, whatnot console is prevented by shipping an existing and empty /etc/securetty. (Deletion of /etc/securetty has a different effect.) /etc/securetty.security-misc . + informational output during PAM: + . + * Show failed and remaining password attempts. + * Document unlock procedure if Linux user account got locked. + * Point out, that there is no password feedback for `su`. + * Explain locked (root) account if locked. + * /usr/share/pam-configs/tally2-security-misc + * /usr/lib/security-misc/pam_tally2-info + . access rights restrictions: . * The default umask is changed to 006. This allows only the owner and group to read and write to newly created files. /etc/login.defs.security-misc + /usr/share/pam-configs/usergroups-security-misc . * Enables pam_umask.so usergroups so group permissions are same as user permissions. Debian by default uses User Private Groups (UPG). https://wiki.debian.org/UserPrivateGroups - /usr/share/pam-configs/usergroups + /usr/share/pam-configs/usergroups-security-misc + . + * Create home directory on login with umask 006 using + pam_mkhomedir.so umask=006 + /usr/share/pam-configs/mkhomedir-security-misc . * Removes read, write and execute access for others for all users who have home folders under folder /home by running for example "chmod o-rwx /home/user" - during package installation or upgrade. This will be done only once per folder - in folder /home so users who wish to relax file permissions are free to do so. - This is to protect previously created files in user home folder which were - previously created with lax file permissions prior installation of this + during package installation, upgrade or pam. This will be done only once per + folder in folder /home so users who wish to relax file permissions are free to + do so. This is to protect previously created files in user home folder which + were previously created with lax file permissions prior installation of this package. debian/security-misc.postinst + /usr/share/pam-configs/permission-lockdown-security-misc + /usr/lib/security-misc/permission-lockdown . access rights relaxations: . diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 194929f..ffdd07d 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -15,32 +15,6 @@ true " ##################################################################### " -home_folder_access_rights_lockdown() { - mkdir -p /var/cache/security-misc/state-files - - shopt -s nullglob - - ## Not using dotglob. - ## touch /var/cache/security-misc/state-files//home/.Trash - ## touch: cannot touch '/var/cache/security-misc/state-files//home/.Trash': No such file or directory - - local folder_name base_name - - for folder_name in /home/* ; do - base_name="$(basename "$folder_name")" - if [ -f "/var/cache/security-misc/state-files/$base_name" ]; then - continue - fi - chmod o-rwx "$folder_name" - ## Create a state-file so we do this only once. - ## Therefore a user who will manually undo this, will not get - ## annoyed by this being done over and over again. - touch "/var/cache/security-misc/state-files/$base_name" - done - - shopt -u nullglob -} - case "$1" in configure) glib-compile-schemas /usr/share/glib-2.0/schemas || true @@ -59,7 +33,7 @@ addgroup root sudo pam-auth-update --package -home_folder_access_rights_lockdown +/usr/lib/security-misc/permission-lockdown true "INFO: debhelper beginning here." diff --git a/etc/default/grub.d/40_only_allow_signed_modules.cfg b/etc/default/grub.d/40_only_allow_signed_modules.cfg new file mode 100644 index 0000000..a38c6d2 --- /dev/null +++ b/etc/default/grub.d/40_only_allow_signed_modules.cfg @@ -0,0 +1,3 @@ +# Requires every module to be signed before being loaded. Any module that is unsigned or signed with an invalid key cannot be loaded. +# This makes it harder to load a malicious module. +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1" diff --git a/etc/kernel/postinst.d/30_remove-system-map b/etc/kernel/postinst.d/30_remove-system-map new file mode 100755 index 0000000..fc4a604 --- /dev/null +++ b/etc/kernel/postinst.d/30_remove-system-map @@ -0,0 +1,5 @@ +#!/bin/bash + +if test -x /usr/lib/security-misc/remove-system.map ; then + /usr/lib/security-misc/remove-system.map +fi diff --git a/usr/lib/security-misc/pam_tally2-info b/usr/lib/security-misc/pam_tally2-info new file mode 100755 index 0000000..ca23a76 --- /dev/null +++ b/usr/lib/security-misc/pam_tally2-info @@ -0,0 +1,109 @@ +#!/bin/bash + +if [ ! -r /var/log/auth.log ]; then + exit 0 +fi + +pam_tally2_output="$(pam_tally2 --user "$PAM_USER")" + +if [ "$pam_tally2_output" = "" ]; then + true "$0: no failed login" + exit 0 +fi + +## Example: +#Login Failures Latest failure From +#user 0 + +pam_tally2_output_last_line="$(echo "$pam_tally2_output" | tail -1)" +## Example: +#user 0 + +arr=($pam_tally2_output_last_line) +user_name="${arr[0]}" +failed_login_counter="${arr[1]}" + +if [ ! "$PAM_USER" = "$user_name" ]; then + echo "$0: ERROR: PAM_USER: $PAM_USER does not equal user_name: '$user_name'." >&2 + echo "$0: ERROR: Please report this bug." >&2 + echo "" >&2 + exit 0 +fi + +if [ "$failed_login_counter" = "0" ]; then + true "$0: INFO: Failed login counter is 0, ok." + exit 0 +fi + +temp="$(grep pam_tally2 /var/log/auth.log | grep ", deny" | tail -1)" +last_line_of_user="$(echo "$temp" | grep "pam_tally2")" +last_line_of_user="$(echo "$temp" | grep "): user $PAM_USER")" + +#last_line_of_user="$(grep pam_tally2 /var/log/auth.log | grep "): user $PAM_USER " | tail -1)" +## Example: +#Aug 15 03:47:50 localhost sudo: pam_tally2(sudo:auth): user user (1000) tally 1, deny 10 + +temp="$(echo "$last_line_of_user" | sed 's/.*tally //')" +temp="${temp/", deny"/""}" +## Example: +#1 100 + +arr=($temp) +tally="${arr[0]}" +deny="${arr[1]}" + +if [[ "$tally" == *[!0-9]* ]]; then + echo "$0: ERROR: tally is not numeric." >&2 + echo "$0: ERROR: Please report this bug." >&2 + echo "" >&2 + exit 0 +fi + +if [[ "$deny" == *[!0-9]* ]]; then + echo "$0: ERROR: deny is not numeric." >&2 + echo "$0: ERROR: Please report this bug." >&2 + echo "" >&2 + exit 0 +fi + +remaining_attempts="$(( $deny - $tally ))" + +## Thanks to: +if [ "$(passwd -S "$PAM_USER" | cut -d ' ' -f 2)" = "P" ]; then + true "INFO: Password not locked." +else + echo "$0: ERROR: Password for user \"$PAM_USER\" is locked." >&2 + if [ "$PAM_USER" = "root" ]; then + echo "$0: ERROR: root account is locked by default. See:" >&2 + echo "https://www.whonix.org/wiki/root" >&2 + echo "" >&2 + fi + exit 0 +fi + +if [ "$remaining_attempts" -le "0" ]; then + echo "$0: ERROR: Login blocked after $tally attempts." >&2 + echo "$0: To unlock, run the following command as superuser:" >&2 + echo "$0: (If you still have a sudo/root shell somewhere.)" >&2 + echo "" >&2 + echo "pam_tally2 --quiet -r --user $PAM_USER" >&2 + echo "" >&2 + echo "$0: However, most likely unlock procedure is required." >&2 + echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2 + echo "$0: See also:" >&2 + echo "https://www.whonix.org/wiki/root#unlock" >&2 + echo "" >&2 + exit 0 +fi + +echo "$0: WARNING: $tally failed login attempts." >&2 +echo "$0: Login will be blocked after $deny attempts." >&2 +echo "$0: You have $remaining_attempts more attempts before unlock procedure is required." >&2 +echo "" >&2 + +if [ "$PAM_SERVICE" = "su" ]; then + echo "$0: NOTE: Type the password. When entering the password, no password feedback (no asterisk (\"*\") symbol) will be shown." >&2 + echo "" >&2 +fi + +exit 0 diff --git a/usr/lib/security-misc/permission-lockdown b/usr/lib/security-misc/permission-lockdown new file mode 100755 index 0000000..2b4e802 --- /dev/null +++ b/usr/lib/security-misc/permission-lockdown @@ -0,0 +1,68 @@ +#!/bin/bash + +## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Doing this for all users would create many issues. +# /usr/lib/security-misc/permission-lockdown: user: root | chmod o-rwx "/root" +# /usr/lib/security-misc/permission-lockdown: user: daemon | chmod o-rwx "/usr/sbin" +# /usr/lib/security-misc/permission-lockdown: user: bin | chmod o-rwx "/bin" +# /usr/lib/security-misc/permission-lockdown: user: sys | chmod o-rwx "/dev" +# /usr/lib/security-misc/permission-lockdown: user: sync | chmod o-rwx "/bin" +# /usr/lib/security-misc/permission-lockdown: user: games | chmod o-rwx "/usr/games" +# /usr/lib/security-misc/permission-lockdown: user: man | chmod o-rwx "/var/cache/man" +# /usr/lib/security-misc/permission-lockdown: user: mail | chmod o-rwx "/var/mail" +# /usr/lib/security-misc/permission-lockdown: user: proxy | chmod o-rwx "/bin" +# /usr/lib/security-misc/permission-lockdown: user: backup | chmod o-rwx "/var/backups" +# /usr/lib/security-misc/permission-lockdown: user: systemd-timesync | chmod o-rwx "/run/systemd" +# /usr/lib/security-misc/permission-lockdown: user: systemd-network | chmod o-rwx "/run/systemd/netif" +# /usr/lib/security-misc/permission-lockdown: user: messagebus | chmod o-rwx "/var/run/dbus" +# /usr/lib/security-misc/permission-lockdown: user: tinyproxy | chmod o-rwx "/run/tinyproxy" +# /usr/lib/security-misc/permission-lockdown: user: rtkit | chmod o-rwx "/proc" +# /usr/lib/security-misc/permission-lockdown: user: colord | chmod o-rwx "/var/lib/colord" +# /usr/lib/security-misc/permission-lockdown: user: Debian-exim | chmod o-rwx "/var/spool/exim4" +# /usr/lib/security-misc/permission-lockdown: user: debian-tor | chmod o-rwx "/var/lib/tor" +# /usr/lib/security-misc/permission-lockdown: user: stunnel4 | chmod o-rwx "/var/run/stunnel4" +# /usr/lib/security-misc/permission-lockdown: user: iodine | chmod o-rwx "/var/run/iodine" +# /usr/lib/security-misc/permission-lockdown: user: apt-cacher-ng | chmod o-rwx "/var/cache/apt-cacher-ng" +# /usr/lib/security-misc/permission-lockdown: user: statd | chmod o-rwx "/var/lib/nfs" +# /usr/lib/security-misc/permission-lockdown: user: timidity | chmod o-rwx "/etc/timidity" +# /usr/lib/security-misc/permission-lockdown: user: uuidd | chmod o-rwx "/run/uuidd" +# /usr/lib/security-misc/permission-lockdown: user: _rpc | chmod o-rwx "/run/rpcbind" +# /usr/lib/security-misc/permission-lockdown: user: geoclue | chmod o-rwx "/var/lib/geoclue" + +home_folder_access_rights_lockdown() { + shopt -s nullglob + + ## Not using dotglob. + ## touch /var/cache/security-misc/state-files//home/.Trash + ## touch: cannot touch '/var/cache/security-misc/state-files//home/.Trash': No such file or directory + + local folder_name base_name + + for folder_name in /home/* ; do + base_name="$(basename "$folder_name")" + if [ -f "/var/cache/security-misc/state-files/$base_name" ]; then + continue + fi + if [ ! -d "$folder_name" ]; then + continue + fi + if [ "$folder_name" = "/home/" ]; then + continue + fi + mkdir -p /var/cache/security-misc/state-files + echo "$0: chmod o-rwx \"$folder_name\"" + chmod o-rwx "$folder_name" + ## Create a state-file so we do this only once. + ## Therefore a user who will manually undo this, will not get + ## annoyed by this being done over and over again. + touch "/var/cache/security-misc/state-files/$base_name" + done + + shopt -u nullglob +} + +home_folder_access_rights_lockdown + +exit 0 diff --git a/usr/lib/security-misc/remove-system.map b/usr/lib/security-misc/remove-system.map index 10071f8..621879b 100755 --- a/usr/lib/security-misc/remove-system.map +++ b/usr/lib/security-misc/remove-system.map @@ -9,6 +9,6 @@ shopt -s nullglob for filename in /boot/System.map-* do if [ -f "${filename}" ]; then - rm -f "${filename}" + rm --verbose --force "${filename}" fi done diff --git a/usr/share/pam-configs/mkhomedir-security-misc b/usr/share/pam-configs/mkhomedir-security-misc new file mode 100644 index 0000000..7e87e21 --- /dev/null +++ b/usr/share/pam-configs/mkhomedir-security-misc @@ -0,0 +1,7 @@ +Name: Create home directory on login (by package security-misc) +Default: yes +Priority: 100 +Session-Type: Additional +Session-Interactive-Only: yes +Session: + optional pam_mkhomedir.so umask=006 diff --git a/usr/share/pam-configs/permission-lockdown-security-misc b/usr/share/pam-configs/permission-lockdown-security-misc new file mode 100644 index 0000000..65be498 --- /dev/null +++ b/usr/share/pam-configs/permission-lockdown-security-misc @@ -0,0 +1,6 @@ +Name: prevent users from reading other users /home/user folders (by package security-misc) +Default: yes +Priority: 50 +Session-Type: Additional +Session: + optional pam_exec.so debug stdout seteuid /usr/lib/security-misc/permission-lockdown diff --git a/usr/share/pam-configs/security-misc b/usr/share/pam-configs/security-misc deleted file mode 100644 index 30b0df4..0000000 --- a/usr/share/pam-configs/security-misc +++ /dev/null @@ -1,7 +0,0 @@ -Name: group sudo membership required to use su, lock accounts after 5 failed authentication attempts (by package security-misc) -Default: yes -Priority: 260 -Auth-Type: Primary -Auth: - required pam_wheel.so group=sudo debug - required pam_tally2.so deny=5 debug diff --git a/usr/share/pam-configs/tally2-security-misc b/usr/share/pam-configs/tally2-security-misc new file mode 100644 index 0000000..82cfc0c --- /dev/null +++ b/usr/share/pam-configs/tally2-security-misc @@ -0,0 +1,10 @@ +Name: lock accounts after 5 failed authentication attempts (by package security-misc) +Default: yes +Priority: 260 +Auth-Type: Primary +Auth: + optional pam_exec.so debug stdout seteuid /usr/lib/security-misc/pam_tally2-info + requisite pam_tally2.so even_deny_root deny=100 onerr=fail audit debug +Account-Type: Primary +Account: + requisite pam_tally2.so debug diff --git a/usr/share/pam-configs/usergroups b/usr/share/pam-configs/usergroups-security-misc similarity index 73% rename from usr/share/pam-configs/usergroups rename to usr/share/pam-configs/usergroups-security-misc index a089e63..a613a24 100644 --- a/usr/share/pam-configs/usergroups +++ b/usr/share/pam-configs/usergroups-security-misc @@ -3,4 +3,4 @@ Default: yes Priority: 256 Session-Type: Additional Session: - optional pam_umask.so usergroups + optional pam_umask.so usergroups umask=006 diff --git a/usr/share/pam-configs/wheel-security-misc b/usr/share/pam-configs/wheel-security-misc new file mode 100644 index 0000000..661e639 --- /dev/null +++ b/usr/share/pam-configs/wheel-security-misc @@ -0,0 +1,6 @@ +Name: group sudo membership required to use su (by package security-misc) +Default: yes +Priority: 270 +Auth-Type: Primary +Auth: + requisite pam_wheel.so group=sudo debug