Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-12-15 13:33:10 -05:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'master' into patch-21

Browse source
This commit is contained in:
Patrick Schleizer 2019-08-16 14:35:51 +00:00 committed by GitHub
commit 85502ad430
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
16 changed files with 711 additions and 55 deletions
Download patch file Download diff file Expand all files Collapse all files

54
debian/changelog vendored
View file

@ -1,3 +1,57 @@
security-misc (3:7.1-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@riseup.net> Thu, 15 Aug 2019 15:18:02 +0000
security-misc (3:7.0-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@riseup.net> Wed, 14 Aug 2019 11:52:26 +0000
security-misc (3:6.9-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@riseup.net> Wed, 14 Aug 2019 11:13:25 +0000
security-misc (3:6.8-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@riseup.net> Wed, 14 Aug 2019 10:08:18 +0000
security-misc (3:6.7-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@riseup.net> Wed, 14 Aug 2019 07:02:09 +0000
security-misc (3:6.6-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@riseup.net> Sun, 11 Aug 2019 12:07:07 +0000
security-misc (3:6.5-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@riseup.net> Sat, 10 Aug 2019 11:37:02 +0000
security-misc (3:6.4-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@riseup.net> Thu, 01 Aug 2019 12:02:41 +0000
security-misc (3:6.3-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@riseup.net> Wed, 31 Jul 2019 19:12:27 +0000
security-misc (3:6.2-1) unstable; urgency=medium
* New upstream version (local package).

42
debian/control vendored
View file

@ -13,8 +13,8 @@ Standards-Version: 4.3.0
Package: security-misc
Architecture: all
Depends: python, libglib2.0-bin, libpam-runtime, libpam-cgfs, sudo,
${misc:Depends}
Depends: python, libglib2.0-bin, libpam-runtime, sudo,
apparmor-profile-anondist, ${misc:Depends}
Replaces: tcp-timestamps-disable
Description: enhances misc security settings
kernel hardening:
@ -57,6 +57,9 @@ Description: enhances misc security settings
* The SysRq key is restricted to only allow shutdowns/reboots.
A systemd service clears System.map on boot as these contain kernel symbols
that could be useful to an attacker.
/etc/kernel/postinst.d/30_remove-system-map
/lib/systemd/system/remove-system-map.service
/usr/lib/security-misc/remove-system.map
.
* Coredumps are disabled as they may contain important information such as
encryption keys or passwords.
@ -71,6 +74,11 @@ Description: enhances misc security settings
.
* Bluetooth is blacklisted to reduce attack surface. Bluetooth also has
a history of [security concerns](https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns).
.
* Requires every module to be signed before being loaded. Any module that is
unsigned or signed with an invalid key cannot be loaded. This makes it harder
to load a malicious module.
/etc/default/grub.d/40_only_allow_signed_modules.cfg
.
Uncommon network protocols are blacklisted:
These are rarely used and may have unknown vulnerabilities.
@ -111,7 +119,7 @@ Description: enhances misc security settings
.
* `su` is restricted to only users within the group `sudo` which prevents
users from using `su` to gain root access or to switch user accounts.
/usr/share/pam-configs/security-misc
/usr/share/pam-configs/wheel-security-misc
(Which results in a change in file `/etc/pam.d/common-auth`.)
.
* Add user `root` to group `sudo`. This is required to make above work so
@ -119,33 +127,49 @@ Description: enhances misc security settings
debian/security-misc.postinst
.
* Lock user accounts after 5 failed login attempts using pam_tally2.
/usr/share/pam-configs/security-misc
/usr/share/pam-configs/tally2-security-misc
.
* Logging into the root account from a virtual, serial, whatnot console is
prevented by shipping an existing and empty /etc/securetty.
(Deletion of /etc/securetty has a different effect.)
/etc/securetty.security-misc
.
informational output during PAM:
.
* Show failed and remaining password attempts.
* Document unlock procedure if Linux user account got locked.
* Point out, that there is no password feedback for `su`.
* Explain locked (root) account if locked.
* /usr/share/pam-configs/tally2-security-misc
* /usr/lib/security-misc/pam_tally2-info
.
access rights restrictions:
.
* The default umask is changed to 006. This allows only the owner and group
to read and write to newly created files.
/etc/login.defs.security-misc
/usr/share/pam-configs/usergroups-security-misc
.
* Enables pam_umask.so usergroups so group permissions are same as user
permissions. Debian by default uses User Private Groups (UPG).
https://wiki.debian.org/UserPrivateGroups
/usr/share/pam-configs/usergroups
/usr/share/pam-configs/usergroups-security-misc
.
* Create home directory on login with umask 006 using
pam_mkhomedir.so umask=006
/usr/share/pam-configs/mkhomedir-security-misc
.
* Removes read, write and execute access for others for all users who have
home folders under folder /home by running for example
"chmod o-rwx /home/user"
during package installation or upgrade. This will be done only once per folder
in folder /home so users who wish to relax file permissions are free to do so.
This is to protect previously created files in user home folder which were
previously created with lax file permissions prior installation of this
during package installation, upgrade or pam. This will be done only once per
folder in folder /home so users who wish to relax file permissions are free to
do so. This is to protect previously created files in user home folder which
were previously created with lax file permissions prior installation of this
package.
debian/security-misc.postinst
/usr/share/pam-configs/permission-lockdown-security-misc
/usr/lib/security-misc/permission-lockdown
.
access rights relaxations:
.

28
debian/security-misc.postinst vendored
View file

@ -15,32 +15,6 @@ true "
#####################################################################
"
home_folder_access_rights_lockdown() {
mkdir -p /var/cache/security-misc/state-files
shopt -s nullglob
## Not using dotglob.
## touch /var/cache/security-misc/state-files//home/.Trash
## touch: cannot touch '/var/cache/security-misc/state-files//home/.Trash': No such file or directory
local folder_name base_name
for folder_name in /home/* ; do
base_name="$(basename "$folder_name")"
if [ -f "/var/cache/security-misc/state-files/$base_name" ]; then
continue
fi
chmod o-rwx "$folder_name"
## Create a state-file so we do this only once.
## Therefore a user who will manually undo this, will not get
## annoyed by this being done over and over again.
touch "/var/cache/security-misc/state-files/$base_name"
done
shopt -u nullglob
}
case "$1" in
configure)
glib-compile-schemas /usr/share/glib-2.0/schemas || true
@ -59,7 +33,7 @@ addgroup root sudo
pam-auth-update --package
home_folder_access_rights_lockdown
/usr/lib/security-misc/permission-lockdown
true "INFO: debhelper beginning here."