Merge branch 'master' into patch-21

This commit is contained in:
Patrick Schleizer 2019-08-16 14:35:51 +00:00 committed by GitHub
commit 85502ad430
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
16 changed files with 711 additions and 55 deletions

View File

@ -40,6 +40,9 @@ KASLR effectiveness.
* The SysRq key is restricted to only allow shutdowns/reboots. * The SysRq key is restricted to only allow shutdowns/reboots.
A systemd service clears System.map on boot as these contain kernel symbols A systemd service clears System.map on boot as these contain kernel symbols
that could be useful to an attacker. that could be useful to an attacker.
/etc/kernel/postinst.d/30_remove-system-map
/lib/systemd/system/remove-system-map.service
/usr/lib/security-misc/remove-system.map
* Coredumps are disabled as they may contain important information such as * Coredumps are disabled as they may contain important information such as
encryption keys or passwords. encryption keys or passwords.
@ -52,6 +55,11 @@ for DMA (Direct Memory Access) attacks.
* The kernel now panics on oopses to prevent it from continuing running a * The kernel now panics on oopses to prevent it from continuing running a
flawed process. flawed process.
Requires every module to be signed before being loaded. Any module that is
unsigned or signed with an invalid key cannot be loaded. This makes it harder
to load a malicious module.
/etc/default/grub.d/40_only_allow_signed_modules.cfg
Uncommon network protocols are blacklisted: Uncommon network protocols are blacklisted:
These are rarely used and may have unknown vulnerabilities. These are rarely used and may have unknown vulnerabilities.
/etc/modprobe.d/uncommon-network-protocols.conf /etc/modprobe.d/uncommon-network-protocols.conf
@ -91,7 +99,7 @@ restricts access to the root account:
* `su` is restricted to only users within the group `sudo` which prevents * `su` is restricted to only users within the group `sudo` which prevents
users from using `su` to gain root access or to switch user accounts. users from using `su` to gain root access or to switch user accounts.
/usr/share/pam-configs/security-misc /usr/share/pam-configs/wheel-security-misc
(Which results in a change in file `/etc/pam.d/common-auth`.) (Which results in a change in file `/etc/pam.d/common-auth`.)
* Add user `root` to group `sudo`. This is required to make above work so * Add user `root` to group `sudo`. This is required to make above work so
@ -99,33 +107,49 @@ login as a user in a virtual console is still possible.
debian/security-misc.postinst debian/security-misc.postinst
* Lock user accounts after 5 failed login attempts using pam_tally2. * Lock user accounts after 5 failed login attempts using pam_tally2.
/usr/share/pam-configs/security-misc /usr/share/pam-configs/tally2-security-misc
* Logging into the root account from a virtual, serial, whatnot console is * Logging into the root account from a virtual, serial, whatnot console is
prevented by shipping an existing and empty /etc/securetty. prevented by shipping an existing and empty /etc/securetty.
(Deletion of /etc/securetty has a different effect.) (Deletion of /etc/securetty has a different effect.)
/etc/securetty.security-misc /etc/securetty.security-misc
informational output during PAM:
* Show failed and remaining password attempts.
* Document unlock procedure if Linux user account got locked.
* Point out, that there is no password feedback for `su`.
* Explain locked (root) account if locked.
* /usr/share/pam-configs/tally2-security-misc
* /usr/lib/security-misc/pam_tally2-info
access rights restrictions: access rights restrictions:
* The default umask is changed to 006. This allows only the owner and group * The default umask is changed to 006. This allows only the owner and group
to read and write to newly created files. to read and write to newly created files.
/etc/login.defs.security-misc /etc/login.defs.security-misc
/usr/share/pam-configs/usergroups-security-misc
* Enables pam_umask.so usergroups so group permissions are same as user * Enables pam_umask.so usergroups so group permissions are same as user
permissions. Debian by default uses User Private Groups (UPG). permissions. Debian by default uses User Private Groups (UPG).
https://wiki.debian.org/UserPrivateGroups https://wiki.debian.org/UserPrivateGroups
/usr/share/pam-configs/usergroups /usr/share/pam-configs/usergroups-security-misc
* Create home directory on login with umask 006 using
pam_mkhomedir.so umask=006
/usr/share/pam-configs/mkhomedir-security-misc
* Removes read, write and execute access for others for all users who have * Removes read, write and execute access for others for all users who have
home folders under folder /home by running for example home folders under folder /home by running for example
"chmod o-rwx /home/user" "chmod o-rwx /home/user"
during package installation or upgrade. This will be done only once per folder during package installation, upgrade or pam. This will be done only once per
in folder /home so users who wish to relax file permissions are free to do so. folder in folder /home so users who wish to relax file permissions are free to
This is to protect previously created files in user home folder which were do so. This is to protect previously created files in user home folder which
previously created with lax file permissions prior installation of this were previously created with lax file permissions prior installation of this
package. package.
debian/security-misc.postinst debian/security-misc.postinst
/usr/share/pam-configs/permission-lockdown-security-misc
/usr/lib/security-misc/permission-lockdown
access rights relaxations: access rights relaxations:
@ -186,16 +210,24 @@ Application specific hardening:
* Deactivates thumbnails in Thunar. * Deactivates thumbnails in Thunar.
## How to install `security-misc` using apt-get ## ## How to install `security-misc` using apt-get ##
1\. Add [Whonix's Signing Key](https://www.whonix.org/wiki/Whonix_Signing_Key). 1\. Download [Whonix's Signing Key]().
``` ```
sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg adv --keyserver hkp://ipv4.pool.sks-keyservers.net:80 --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA wget https://www.whonix.org/patrick.asc
```
Users can [check Whonix Signing Key](https://www.whonix.org/wiki/Whonix_Signing_Key) for better security.
2\. Add Whonix's signing key.
```
sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg add ~/patrick.asc
``` ```
3\. Add Whonix's APT repository. 3\. Add Whonix's APT repository.
``` ```
echo "deb http://deb.whonix.org buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list echo "deb https://deb.whonix.org buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list
``` ```
4\. Update your package lists. 4\. Update your package lists.

View File

@ -1,3 +1,368 @@
commit a11e3cea9eb160ba84dbc273ea4cb48bc687158f
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Thu Aug 15 15:08:48 2019 +0000
readme
commit ff9bc1d7ea81a8507f44d9bb1301b9665614ebdd
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Thu Aug 15 13:37:28 2019 +0000
informational output during PAM:
* Show failed and remaining password attempts.
* Document unlock procedure if Linux user account got locked.
* Point out, that there is no password feedback for `su`.
* Explain locked (root) account if locked.
* /usr/share/pam-configs/tally2-security-misc
* /usr/lib/security-misc/pam_tally2-info
commit 454e1358220abf75def0d88a22426086a55c0802
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Thu Aug 15 07:33:41 2019 +0000
pam_tally2.so even_deny_root
commit 63b476221c7b9ece6b99f9e194fab80e300275d9
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Thu Aug 15 07:30:56 2019 +0000
use requisite rather than required to avoid asking for password needlessly
if login will fail anyhow
commit ce4a30d3cecb7e9bddb96c79aab871804cb90bd4
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed Aug 14 11:52:26 2019 +0000
bumped changelog version
commit a7c25a451c78f7b9a5720e1b6fc7d168eb0afa4f
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed Aug 14 11:50:53 2019 +0000
remove unneeded dependency on libpam-cgfs
commit 633854c6bec439af9718439c8207012322800166
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed Aug 14 11:13:25 2019 +0000
bumped changelog version
commit 0feb54b28e90b5c4cfcd529914a3892362c34966
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed Aug 14 11:10:18 2019 +0000
add Depends: apparmor-profile-anondist to fix apparmor issue
sudo[19806]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied
sudo[18961]: pam_exec(sudo:session): /usr/lib/security-misc/permission-lockdown failed: exit code 13
kernel: audit: type=1400 audit(1565780860.972:224): apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=19806 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
commit 8fdc77fed553d7ba6123d738b9cb3efe98f3f08f
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed Aug 14 10:33:23 2019 +0000
output to stdout
commit 5213cfbcdcb41a5aa714d1031b36436adeb0359c
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed Aug 14 10:08:18 2019 +0000
bumped changelog version
commit 2875adb7221769dcd23ef701dae8b9ad24708590
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed Aug 14 10:07:55 2019 +0000
readme
commit 01b3a0bfaeda0dad87644ad8d54c61e07dd501f7
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed Aug 14 09:52:53 2019 +0000
description
commit 547ba91d799780487782cdd8088c556d978494e8
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed Aug 14 09:45:30 2019 +0000
sanity test
commit dee195d89e94ff343cec60308cbbb5464d2a7b18
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed Aug 14 09:40:41 2019 +0000
description
commit 799acad724977dea220c2228f9da0db3d6b5170e
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed Aug 14 09:39:43 2019 +0000
skip, if not a folder
commit 6321ff5ad5938a929d4a997b4f1b03db2ac4b5fd
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed Aug 14 09:38:44 2019 +0000
refactoring
commit 15094cab4fbbb1fd0c20bd8241ea20bd6c0bd331
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed Aug 14 09:36:30 2019 +0000
avoid ' character in usr/share/pam-configs; in description
commit 97d1945e61053efd3b73fb9f761b3ea1c9271cdc
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed Aug 14 09:32:58 2019 +0000
no log needed, informative output to stdout instead
commit a085d46c567b0b5dbbaddd8f3e5873d87d904c4a
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed Aug 14 09:31:58 2019 +0000
change priories so "pam_umask.so usergroups umask=006" runs before pam_exec.so /usr/lib/security-misc/permission-lockdown
commit f8c828b69a8f52108d19af4076e718930b5dcd07
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed Aug 14 05:19:02 2019 -0400
output
commit e5da6d9699de1d3c4aaefee7d301a4c47f33e4bd
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed Aug 14 05:17:54 2019 -0400
copyright
commit 1595789d7c310c80196345e06b6bacc8fb7c0baf
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed Aug 14 05:17:16 2019 -0400
comment
commit ce06fdf91103afbaf84523ce998570af733b5bbe
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed Aug 14 05:15:53 2019 -0400
formatting
commit 21489111d107023f150988137180154ba62e1ff2
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed Aug 14 08:34:03 2019 +0000
run permission lockdown during pam
https://forums.whonix.org/t/change-default-umask/7416
commit 42f2d5f6664f15baebdaf200a5690cf32cdbe284
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed Aug 14 07:39:28 2019 +0000
description
commit 52df8dc0149d597c3106daa7112a01db444e34f1
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed Aug 14 07:37:21 2019 +0000
optional pam_umask.so usergroups umask=006
commit f210294f4091b6a09c902a446b125c26022c5d2a
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed Aug 14 07:24:24 2019 +0000
description
commit dbea7d1511d8e1b2604960d37146ec931d9dfe15
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed Aug 14 07:22:14 2019 +0000
add hook etc/kernel/postinst.d/30_remove-system-map to remove system.map
on kernel package upgrade;
self-document this package: during upgrade the following will be written
to stdout:
Setting up linux-image-4.19.0-5-amd64 (4.19.37-5+deb10u2) ...
/etc/kernel/postinst.d/30_remove-system-map:
removed '/boot/System.map-4.19.0-5-amd64
commit f1d8cbc9fb2b800205923cce77a8e242dddd133c
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed Aug 14 07:02:09 2019 +0000
bumped changelog version
commit 41f4441d9dc5777d4ea7424f8422164c548da091
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed Aug 14 07:01:47 2019 +0000
readme
commit a82448d46af4fb9dce2de84025b8b820a11fae01
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed Aug 14 07:01:25 2019 +0000
description
commit ff8c0979435b491cf462c5ef6e8e02f6d85f1d81
Merge: 6f8acf0 a8ea379
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed Aug 14 06:59:50 2019 +0000
Merge remote-tracking branch 'origin/master'
commit a8ea37952669b3f40a452cb580442126ec44233a
Merge: 6f8acf0 9a49b8e
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed Aug 14 06:59:34 2019 +0000
Merge pull request #28 from madaidan/patch-22
Require all loaded kernel modules to be signed with a valid key.
commit 9a49b8ecbb863a995862a4d380c6a03f6c0991ac
Author: madaidan <50278627+madaidan@users.noreply.github.com>
Date: Tue Aug 13 13:33:07 2019 +0000
Create 40_only_allow_signed_modules.cfg
Require all loaded kernel modules to be signed with a valid key.
commit 6f8acf06d79c77e3bee15cc8696a433271e2b7c9
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Sun Aug 11 12:07:07 2019 +0000
bumped changelog version
commit 52cee9128316d649ba7ffa9600d0fdc33c99a9a9
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Sun Aug 11 11:39:32 2019 +0000
readme
commit aacd9c7679b05b7ee59df484f21a24fe7aa5901d
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Sun Aug 11 10:34:38 2019 +0000
description
commit c0b5c70de498d891e4edd5b9af2292909be36776
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Sun Aug 11 10:33:22 2019 +0000
description
commit 2f37a66fd009c9cba423c0f95833a71c8669af46
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Sun Aug 11 10:31:29 2019 +0000
description
commit e83ec79a25d09b2467e2389959d87267bab7f1f0
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Sun Aug 11 10:30:51 2019 +0000
enable usr/share/pam-configs/mkhomedir-security-misc by default
commit 1eb806a03ef25bb387fa80f45dd6509925437048
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Sun Aug 11 10:29:49 2019 +0000
pam_mkhomedir.so umask=006
commit c50eb3c9b07b9e54951eb08206db6d28383f6cdc
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Sun Aug 11 10:28:55 2019 +0000
add usr/share/pam-configs/mkhomedir-security-misc based on
/usr/share/pam-configs/mkhomedir
commit 75769151cd7980042357f18c5567adab2a031049
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Sat Aug 10 11:37:02 2019 +0000
bumped changelog version
commit a2fa18c38159161418edcdaacb1baad215f5d31d
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Sat Aug 10 07:07:28 2019 -0400
pam_tally2.so deny=100
during testing, due to issues
https://github.com/Whonix/security-misc/commit/d17e25272b9b7bbb6abc4dccd500a6b34311a7dd
https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/12
commit d17e25272b9b7bbb6abc4dccd500a6b34311a7dd
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Sat Aug 10 06:06:39 2019 -0400
effectively (not directly) add "required pam_tally2.so debug" to /etc/pam.d/common-account
This is required because otherwise something like "sudo bash" would count as a
failed login for pam_tally2 even though it was successful.
https://bugzilla.redhat.com/show_bug.cgi?id=707660
https://forums.whonix.org/t/restrict-root-access/7658
commit 0f896a9d8d6f7c125311a0e226755f8a00214f3c
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Sat Aug 10 06:05:37 2019 -0400
add onerr=fail audit to pam_tally2
commit a703865dcf736996a58e6f684fc02f0e9dfa8cc7
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Thu Aug 1 12:02:41 2019 +0000
bumped changelog version
commit 1fe3036a4903588b89edd82e7097a665271fd27f
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Thu Aug 1 11:13:43 2019 +0000
readme
commit e076470f68dc18908c5ab1889232aaaa0fcb9f3d
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Thu Aug 1 11:04:58 2019 +0000
renamed: usr/share/pam-configs/usergroups -> usr/share/pam-configs/usergroups-security-misc
commit 830111e99aa6f45688c4ba00a7f41ea323f15f2a
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Thu Aug 1 11:04:22 2019 +0000
split usr/share/pam-configs/security-misc
into
usr/share/pam-configs/tally2-security-misc
usr/share/pam-configs/wheel-security-misc
commit 5d0aec1321b4f46f1834ba9ad166d2445a995fbb
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed Jul 31 19:12:27 2019 +0000
bumped changelog version
commit 89d32402b2dd2182dc6e7788d41708eaaeeb02c1
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed Jul 31 14:52:29 2019 -0400
fix, do not use "," inside /usr/share/pam-configs files
commit 864de10659d0145ae8883b98b1746a7debc9492a
Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed Jul 31 15:17:51 2019 +0000
bumped changelog version
commit 47368ae4fccc85ab3197f07316b03c123187f9a2 commit 47368ae4fccc85ab3197f07316b03c123187f9a2
Author: Patrick Schleizer <adrelanos@riseup.net> Author: Patrick Schleizer <adrelanos@riseup.net>
Date: Wed Jul 31 15:15:30 2019 +0000 Date: Wed Jul 31 15:15:30 2019 +0000

54
debian/changelog vendored
View File

@ -1,3 +1,57 @@
security-misc (3:7.1-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@riseup.net> Thu, 15 Aug 2019 15:18:02 +0000
security-misc (3:7.0-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@riseup.net> Wed, 14 Aug 2019 11:52:26 +0000
security-misc (3:6.9-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@riseup.net> Wed, 14 Aug 2019 11:13:25 +0000
security-misc (3:6.8-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@riseup.net> Wed, 14 Aug 2019 10:08:18 +0000
security-misc (3:6.7-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@riseup.net> Wed, 14 Aug 2019 07:02:09 +0000
security-misc (3:6.6-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@riseup.net> Sun, 11 Aug 2019 12:07:07 +0000
security-misc (3:6.5-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@riseup.net> Sat, 10 Aug 2019 11:37:02 +0000
security-misc (3:6.4-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@riseup.net> Thu, 01 Aug 2019 12:02:41 +0000
security-misc (3:6.3-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@riseup.net> Wed, 31 Jul 2019 19:12:27 +0000
security-misc (3:6.2-1) unstable; urgency=medium security-misc (3:6.2-1) unstable; urgency=medium
* New upstream version (local package). * New upstream version (local package).

42
debian/control vendored
View File

@ -13,8 +13,8 @@ Standards-Version: 4.3.0
Package: security-misc Package: security-misc
Architecture: all Architecture: all
Depends: python, libglib2.0-bin, libpam-runtime, libpam-cgfs, sudo, Depends: python, libglib2.0-bin, libpam-runtime, sudo,
${misc:Depends} apparmor-profile-anondist, ${misc:Depends}
Replaces: tcp-timestamps-disable Replaces: tcp-timestamps-disable
Description: enhances misc security settings Description: enhances misc security settings
kernel hardening: kernel hardening:
@ -57,6 +57,9 @@ Description: enhances misc security settings
* The SysRq key is restricted to only allow shutdowns/reboots. * The SysRq key is restricted to only allow shutdowns/reboots.
A systemd service clears System.map on boot as these contain kernel symbols A systemd service clears System.map on boot as these contain kernel symbols
that could be useful to an attacker. that could be useful to an attacker.
/etc/kernel/postinst.d/30_remove-system-map
/lib/systemd/system/remove-system-map.service
/usr/lib/security-misc/remove-system.map
. .
* Coredumps are disabled as they may contain important information such as * Coredumps are disabled as they may contain important information such as
encryption keys or passwords. encryption keys or passwords.
@ -71,6 +74,11 @@ Description: enhances misc security settings
. .
* Bluetooth is blacklisted to reduce attack surface. Bluetooth also has * Bluetooth is blacklisted to reduce attack surface. Bluetooth also has
a history of [security concerns](https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns). a history of [security concerns](https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns).
.
* Requires every module to be signed before being loaded. Any module that is
unsigned or signed with an invalid key cannot be loaded. This makes it harder
to load a malicious module.
/etc/default/grub.d/40_only_allow_signed_modules.cfg
. .
Uncommon network protocols are blacklisted: Uncommon network protocols are blacklisted:
These are rarely used and may have unknown vulnerabilities. These are rarely used and may have unknown vulnerabilities.
@ -111,7 +119,7 @@ Description: enhances misc security settings
. .
* `su` is restricted to only users within the group `sudo` which prevents * `su` is restricted to only users within the group `sudo` which prevents
users from using `su` to gain root access or to switch user accounts. users from using `su` to gain root access or to switch user accounts.
/usr/share/pam-configs/security-misc /usr/share/pam-configs/wheel-security-misc
(Which results in a change in file `/etc/pam.d/common-auth`.) (Which results in a change in file `/etc/pam.d/common-auth`.)
. .
* Add user `root` to group `sudo`. This is required to make above work so * Add user `root` to group `sudo`. This is required to make above work so
@ -119,33 +127,49 @@ Description: enhances misc security settings
debian/security-misc.postinst debian/security-misc.postinst
. .
* Lock user accounts after 5 failed login attempts using pam_tally2. * Lock user accounts after 5 failed login attempts using pam_tally2.
/usr/share/pam-configs/security-misc /usr/share/pam-configs/tally2-security-misc
. .
* Logging into the root account from a virtual, serial, whatnot console is * Logging into the root account from a virtual, serial, whatnot console is
prevented by shipping an existing and empty /etc/securetty. prevented by shipping an existing and empty /etc/securetty.
(Deletion of /etc/securetty has a different effect.) (Deletion of /etc/securetty has a different effect.)
/etc/securetty.security-misc /etc/securetty.security-misc
. .
informational output during PAM:
.
* Show failed and remaining password attempts.
* Document unlock procedure if Linux user account got locked.
* Point out, that there is no password feedback for `su`.
* Explain locked (root) account if locked.
* /usr/share/pam-configs/tally2-security-misc
* /usr/lib/security-misc/pam_tally2-info
.
access rights restrictions: access rights restrictions:
. .
* The default umask is changed to 006. This allows only the owner and group * The default umask is changed to 006. This allows only the owner and group
to read and write to newly created files. to read and write to newly created files.
/etc/login.defs.security-misc /etc/login.defs.security-misc
/usr/share/pam-configs/usergroups-security-misc
. .
* Enables pam_umask.so usergroups so group permissions are same as user * Enables pam_umask.so usergroups so group permissions are same as user
permissions. Debian by default uses User Private Groups (UPG). permissions. Debian by default uses User Private Groups (UPG).
https://wiki.debian.org/UserPrivateGroups https://wiki.debian.org/UserPrivateGroups
/usr/share/pam-configs/usergroups /usr/share/pam-configs/usergroups-security-misc
.
* Create home directory on login with umask 006 using
pam_mkhomedir.so umask=006
/usr/share/pam-configs/mkhomedir-security-misc
. .
* Removes read, write and execute access for others for all users who have * Removes read, write and execute access for others for all users who have
home folders under folder /home by running for example home folders under folder /home by running for example
"chmod o-rwx /home/user" "chmod o-rwx /home/user"
during package installation or upgrade. This will be done only once per folder during package installation, upgrade or pam. This will be done only once per
in folder /home so users who wish to relax file permissions are free to do so. folder in folder /home so users who wish to relax file permissions are free to
This is to protect previously created files in user home folder which were do so. This is to protect previously created files in user home folder which
previously created with lax file permissions prior installation of this were previously created with lax file permissions prior installation of this
package. package.
debian/security-misc.postinst debian/security-misc.postinst
/usr/share/pam-configs/permission-lockdown-security-misc
/usr/lib/security-misc/permission-lockdown
. .
access rights relaxations: access rights relaxations:
. .

View File

@ -15,32 +15,6 @@ true "
##################################################################### #####################################################################
" "
home_folder_access_rights_lockdown() {
mkdir -p /var/cache/security-misc/state-files
shopt -s nullglob
## Not using dotglob.
## touch /var/cache/security-misc/state-files//home/.Trash
## touch: cannot touch '/var/cache/security-misc/state-files//home/.Trash': No such file or directory
local folder_name base_name
for folder_name in /home/* ; do
base_name="$(basename "$folder_name")"
if [ -f "/var/cache/security-misc/state-files/$base_name" ]; then
continue
fi
chmod o-rwx "$folder_name"
## Create a state-file so we do this only once.
## Therefore a user who will manually undo this, will not get
## annoyed by this being done over and over again.
touch "/var/cache/security-misc/state-files/$base_name"
done
shopt -u nullglob
}
case "$1" in case "$1" in
configure) configure)
glib-compile-schemas /usr/share/glib-2.0/schemas || true glib-compile-schemas /usr/share/glib-2.0/schemas || true
@ -59,7 +33,7 @@ addgroup root sudo
pam-auth-update --package pam-auth-update --package
home_folder_access_rights_lockdown /usr/lib/security-misc/permission-lockdown
true "INFO: debhelper beginning here." true "INFO: debhelper beginning here."

View File

@ -0,0 +1,3 @@
# Requires every module to be signed before being loaded. Any module that is unsigned or signed with an invalid key cannot be loaded.
# This makes it harder to load a malicious module.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1"

View File

@ -0,0 +1,5 @@
#!/bin/bash
if test -x /usr/lib/security-misc/remove-system.map ; then
/usr/lib/security-misc/remove-system.map
fi

View File

@ -0,0 +1,109 @@
#!/bin/bash
if [ ! -r /var/log/auth.log ]; then
exit 0
fi
pam_tally2_output="$(pam_tally2 --user "$PAM_USER")"
if [ "$pam_tally2_output" = "" ]; then
true "$0: no failed login"
exit 0
fi
## Example:
#Login Failures Latest failure From
#user 0
pam_tally2_output_last_line="$(echo "$pam_tally2_output" | tail -1)"
## Example:
#user 0
arr=($pam_tally2_output_last_line)
user_name="${arr[0]}"
failed_login_counter="${arr[1]}"
if [ ! "$PAM_USER" = "$user_name" ]; then
echo "$0: ERROR: PAM_USER: $PAM_USER does not equal user_name: '$user_name'." >&2
echo "$0: ERROR: Please report this bug." >&2
echo "" >&2
exit 0
fi
if [ "$failed_login_counter" = "0" ]; then
true "$0: INFO: Failed login counter is 0, ok."
exit 0
fi
temp="$(grep pam_tally2 /var/log/auth.log | grep ", deny" | tail -1)"
last_line_of_user="$(echo "$temp" | grep "pam_tally2")"
last_line_of_user="$(echo "$temp" | grep "): user $PAM_USER")"
#last_line_of_user="$(grep pam_tally2 /var/log/auth.log | grep "): user $PAM_USER " | tail -1)"
## Example:
#Aug 15 03:47:50 localhost sudo: pam_tally2(sudo:auth): user user (1000) tally 1, deny 10
temp="$(echo "$last_line_of_user" | sed 's/.*tally //')"
temp="${temp/", deny"/""}"
## Example:
#1 100
arr=($temp)
tally="${arr[0]}"
deny="${arr[1]}"
if [[ "$tally" == *[!0-9]* ]]; then
echo "$0: ERROR: tally is not numeric." >&2
echo "$0: ERROR: Please report this bug." >&2
echo "" >&2
exit 0
fi
if [[ "$deny" == *[!0-9]* ]]; then
echo "$0: ERROR: deny is not numeric." >&2
echo "$0: ERROR: Please report this bug." >&2
echo "" >&2
exit 0
fi
remaining_attempts="$(( $deny - $tally ))"
## Thanks to:
if [ "$(passwd -S "$PAM_USER" | cut -d ' ' -f 2)" = "P" ]; then
true "INFO: Password not locked."
else
echo "$0: ERROR: Password for user \"$PAM_USER\" is locked." >&2
if [ "$PAM_USER" = "root" ]; then
echo "$0: ERROR: root account is locked by default. See:" >&2
echo "https://www.whonix.org/wiki/root" >&2
echo "" >&2
fi
exit 0
fi
if [ "$remaining_attempts" -le "0" ]; then
echo "$0: ERROR: Login blocked after $tally attempts." >&2
echo "$0: To unlock, run the following command as superuser:" >&2
echo "$0: (If you still have a sudo/root shell somewhere.)" >&2
echo "" >&2
echo "pam_tally2 --quiet -r --user $PAM_USER" >&2
echo "" >&2
echo "$0: However, most likely unlock procedure is required." >&2
echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2
echo "$0: See also:" >&2
echo "https://www.whonix.org/wiki/root#unlock" >&2
echo "" >&2
exit 0
fi
echo "$0: WARNING: $tally failed login attempts." >&2
echo "$0: Login will be blocked after $deny attempts." >&2
echo "$0: You have $remaining_attempts more attempts before unlock procedure is required." >&2
echo "" >&2
if [ "$PAM_SERVICE" = "su" ]; then
echo "$0: NOTE: Type the password. When entering the password, no password feedback (no asterisk (\"*\") symbol) will be shown." >&2
echo "" >&2
fi
exit 0

View File

@ -0,0 +1,68 @@
#!/bin/bash
## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
## Doing this for all users would create many issues.
# /usr/lib/security-misc/permission-lockdown: user: root | chmod o-rwx "/root"
# /usr/lib/security-misc/permission-lockdown: user: daemon | chmod o-rwx "/usr/sbin"
# /usr/lib/security-misc/permission-lockdown: user: bin | chmod o-rwx "/bin"
# /usr/lib/security-misc/permission-lockdown: user: sys | chmod o-rwx "/dev"
# /usr/lib/security-misc/permission-lockdown: user: sync | chmod o-rwx "/bin"
# /usr/lib/security-misc/permission-lockdown: user: games | chmod o-rwx "/usr/games"
# /usr/lib/security-misc/permission-lockdown: user: man | chmod o-rwx "/var/cache/man"
# /usr/lib/security-misc/permission-lockdown: user: mail | chmod o-rwx "/var/mail"
# /usr/lib/security-misc/permission-lockdown: user: proxy | chmod o-rwx "/bin"
# /usr/lib/security-misc/permission-lockdown: user: backup | chmod o-rwx "/var/backups"
# /usr/lib/security-misc/permission-lockdown: user: systemd-timesync | chmod o-rwx "/run/systemd"
# /usr/lib/security-misc/permission-lockdown: user: systemd-network | chmod o-rwx "/run/systemd/netif"
# /usr/lib/security-misc/permission-lockdown: user: messagebus | chmod o-rwx "/var/run/dbus"
# /usr/lib/security-misc/permission-lockdown: user: tinyproxy | chmod o-rwx "/run/tinyproxy"
# /usr/lib/security-misc/permission-lockdown: user: rtkit | chmod o-rwx "/proc"
# /usr/lib/security-misc/permission-lockdown: user: colord | chmod o-rwx "/var/lib/colord"
# /usr/lib/security-misc/permission-lockdown: user: Debian-exim | chmod o-rwx "/var/spool/exim4"
# /usr/lib/security-misc/permission-lockdown: user: debian-tor | chmod o-rwx "/var/lib/tor"
# /usr/lib/security-misc/permission-lockdown: user: stunnel4 | chmod o-rwx "/var/run/stunnel4"
# /usr/lib/security-misc/permission-lockdown: user: iodine | chmod o-rwx "/var/run/iodine"
# /usr/lib/security-misc/permission-lockdown: user: apt-cacher-ng | chmod o-rwx "/var/cache/apt-cacher-ng"
# /usr/lib/security-misc/permission-lockdown: user: statd | chmod o-rwx "/var/lib/nfs"
# /usr/lib/security-misc/permission-lockdown: user: timidity | chmod o-rwx "/etc/timidity"
# /usr/lib/security-misc/permission-lockdown: user: uuidd | chmod o-rwx "/run/uuidd"
# /usr/lib/security-misc/permission-lockdown: user: _rpc | chmod o-rwx "/run/rpcbind"
# /usr/lib/security-misc/permission-lockdown: user: geoclue | chmod o-rwx "/var/lib/geoclue"
home_folder_access_rights_lockdown() {
shopt -s nullglob
## Not using dotglob.
## touch /var/cache/security-misc/state-files//home/.Trash
## touch: cannot touch '/var/cache/security-misc/state-files//home/.Trash': No such file or directory
local folder_name base_name
for folder_name in /home/* ; do
base_name="$(basename "$folder_name")"
if [ -f "/var/cache/security-misc/state-files/$base_name" ]; then
continue
fi
if [ ! -d "$folder_name" ]; then
continue
fi
if [ "$folder_name" = "/home/" ]; then
continue
fi
mkdir -p /var/cache/security-misc/state-files
echo "$0: chmod o-rwx \"$folder_name\""
chmod o-rwx "$folder_name"
## Create a state-file so we do this only once.
## Therefore a user who will manually undo this, will not get
## annoyed by this being done over and over again.
touch "/var/cache/security-misc/state-files/$base_name"
done
shopt -u nullglob
}
home_folder_access_rights_lockdown
exit 0

View File

@ -9,6 +9,6 @@ shopt -s nullglob
for filename in /boot/System.map-* for filename in /boot/System.map-*
do do
if [ -f "${filename}" ]; then if [ -f "${filename}" ]; then
rm -f "${filename}" rm --verbose --force "${filename}"
fi fi
done done

View File

@ -0,0 +1,7 @@
Name: Create home directory on login (by package security-misc)
Default: yes
Priority: 100
Session-Type: Additional
Session-Interactive-Only: yes
Session:
optional pam_mkhomedir.so umask=006

View File

@ -0,0 +1,6 @@
Name: prevent users from reading other users /home/user folders (by package security-misc)
Default: yes
Priority: 50
Session-Type: Additional
Session:
optional pam_exec.so debug stdout seteuid /usr/lib/security-misc/permission-lockdown

View File

@ -1,7 +0,0 @@
Name: group sudo membership required to use su, lock accounts after 5 failed authentication attempts (by package security-misc)
Default: yes
Priority: 260
Auth-Type: Primary
Auth:
required pam_wheel.so group=sudo debug
required pam_tally2.so deny=5 debug

View File

@ -0,0 +1,10 @@
Name: lock accounts after 5 failed authentication attempts (by package security-misc)
Default: yes
Priority: 260
Auth-Type: Primary
Auth:
optional pam_exec.so debug stdout seteuid /usr/lib/security-misc/pam_tally2-info
requisite pam_tally2.so even_deny_root deny=100 onerr=fail audit debug
Account-Type: Primary
Account:
requisite pam_tally2.so debug

View File

@ -3,4 +3,4 @@ Default: yes
Priority: 256 Priority: 256
Session-Type: Additional Session-Type: Additional
Session: Session:
optional pam_umask.so usergroups optional pam_umask.so usergroups umask=006

View File

@ -0,0 +1,6 @@
Name: group sudo membership required to use su (by package security-misc)
Default: yes
Priority: 270
Auth-Type: Primary
Auth:
requisite pam_wheel.so group=sudo debug