Merge branch 'master' into patch-21

README.md

@@ -40,6 +40,9 @@ KASLR effectiveness.
 * The SysRq key is restricted to only allow shutdowns/reboots.
 A systemd service clears System.map on boot as these contain kernel symbols
 that could be useful to an attacker.
+/etc/kernel/postinst.d/30_remove-system-map
+/lib/systemd/system/remove-system-map.service
+/usr/lib/security-misc/remove-system.map
 
 * Coredumps are disabled as they may contain important information such as
 encryption keys or passwords.
@@ -52,6 +55,11 @@ for DMA (Direct Memory Access) attacks.
 * The kernel now panics on oopses to prevent it from continuing running a
 flawed process.
 
+Requires every module to be signed before being loaded. Any module that is
+unsigned or signed with an invalid key cannot be loaded. This makes it harder
+to load a malicious module.
+/etc/default/grub.d/40_only_allow_signed_modules.cfg
+
 Uncommon network protocols are blacklisted:
 These are rarely used and may have unknown vulnerabilities.
 /etc/modprobe.d/uncommon-network-protocols.conf
@@ -91,7 +99,7 @@ restricts access to the root account:
 
 * `su` is restricted to only users within the group `sudo` which prevents
 users from using `su` to gain root access or to switch user accounts.
-/usr/share/pam-configs/security-misc
+/usr/share/pam-configs/wheel-security-misc
 (Which results in a change in file `/etc/pam.d/common-auth`.)
 
 * Add user `root` to group `sudo`. This is required to make above work so
@@ -99,33 +107,49 @@ login as a user in a virtual console is still possible.
 debian/security-misc.postinst
 
 * Lock user accounts after 5 failed login attempts using pam_tally2.
-/usr/share/pam-configs/security-misc
+/usr/share/pam-configs/tally2-security-misc
 
 * Logging into the root account from a virtual, serial, whatnot console is
 prevented by shipping an existing and empty /etc/securetty.
 (Deletion of /etc/securetty has a different effect.)
 /etc/securetty.security-misc
 
+informational output during PAM:
+
+* Show failed and remaining password attempts.
+* Document unlock procedure if Linux user account got locked.
+* Point out, that there is no password feedback for `su`.
+* Explain locked (root) account if locked.
+* /usr/share/pam-configs/tally2-security-misc
+* /usr/lib/security-misc/pam_tally2-info
+
 access rights restrictions:
 
 * The default umask is changed to 006. This allows only the owner and group
 to read and write to newly created files.
 /etc/login.defs.security-misc
+/usr/share/pam-configs/usergroups-security-misc
 
 * Enables pam_umask.so usergroups so group permissions are same as user
 permissions. Debian by default uses User Private Groups (UPG).
 https://wiki.debian.org/UserPrivateGroups
-/usr/share/pam-configs/usergroups
+/usr/share/pam-configs/usergroups-security-misc
+
+* Create home directory on login with umask 006 using
+pam_mkhomedir.so umask=006
+/usr/share/pam-configs/mkhomedir-security-misc
 
 * Removes read, write and execute access for others for all users who have
 home folders under folder /home by running for example
 "chmod o-rwx /home/user"
-during package installation or upgrade. This will be done only once per folder
-in folder /home so users who wish to relax file permissions are free to do so.
-This is to protect previously created files in user home folder which were
-previously created with lax file permissions prior installation of this
+during package installation, upgrade or pam. This will be done only once per
+folder in folder /home so users who wish to relax file permissions are free to
+do so. This is to protect previously created files in user home folder which
+were previously created with lax file permissions prior installation of this
 package.
 debian/security-misc.postinst
+/usr/share/pam-configs/permission-lockdown-security-misc
+/usr/lib/security-misc/permission-lockdown
 
 access rights relaxations:
 
@@ -186,16 +210,24 @@ Application specific hardening:
 * Deactivates thumbnails in Thunar.
 ## How to install `security-misc` using apt-get ##
 
-1\. Add [Whonix's Signing Key](https://www.whonix.org/wiki/Whonix_Signing_Key).
+1\. Download [Whonix's Signing Key]().
 
 ```
-sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg adv --keyserver hkp://ipv4.pool.sks-keyservers.net:80 --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA
+wget https://www.whonix.org/patrick.asc
+```
+
+Users can [check Whonix Signing Key](https://www.whonix.org/wiki/Whonix_Signing_Key) for better security.
+
+2\. Add Whonix's signing key.
+
+```
+sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg add ~/patrick.asc
 ```
 
 3\. Add Whonix's APT repository.
 
 ```
-echo "deb http://deb.whonix.org buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list
+echo "deb https://deb.whonix.org buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list
 ```
 
 4\. Update your package lists.

changelog.upstream

@@ -1,3 +1,368 @@
+commit a11e3cea9eb160ba84dbc273ea4cb48bc687158f
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Thu Aug 15 15:08:48 2019 +0000
+
+    readme
+
+commit ff9bc1d7ea81a8507f44d9bb1301b9665614ebdd
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Thu Aug 15 13:37:28 2019 +0000
+
+    informational output during PAM:
+    
+    * Show failed and remaining password attempts.
+    * Document unlock procedure if Linux user account got locked.
+    * Point out, that there is no password feedback for `su`.
+    * Explain locked (root) account if locked.
+    * /usr/share/pam-configs/tally2-security-misc
+    * /usr/lib/security-misc/pam_tally2-info
+
+commit 454e1358220abf75def0d88a22426086a55c0802
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Thu Aug 15 07:33:41 2019 +0000
+
+    pam_tally2.so even_deny_root
+
+commit 63b476221c7b9ece6b99f9e194fab80e300275d9
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Thu Aug 15 07:30:56 2019 +0000
+
+    use requisite rather than required to avoid asking for password needlessly
+    
+    if login will fail anyhow
+
+commit ce4a30d3cecb7e9bddb96c79aab871804cb90bd4
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Wed Aug 14 11:52:26 2019 +0000
+
+    bumped changelog version
+
+commit a7c25a451c78f7b9a5720e1b6fc7d168eb0afa4f
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Wed Aug 14 11:50:53 2019 +0000
+
+    remove unneeded dependency on libpam-cgfs
+
+commit 633854c6bec439af9718439c8207012322800166
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Wed Aug 14 11:13:25 2019 +0000
+
+    bumped changelog version
+
+commit 0feb54b28e90b5c4cfcd529914a3892362c34966
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Wed Aug 14 11:10:18 2019 +0000
+
+    add Depends: apparmor-profile-anondist to fix apparmor issue
+    
+    sudo[19806]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied
+    sudo[18961]: pam_exec(sudo:session): /usr/lib/security-misc/permission-lockdown failed: exit code 13
+    kernel: audit: type=1400 audit(1565780860.972:224): apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=19806 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
+
+commit 8fdc77fed553d7ba6123d738b9cb3efe98f3f08f
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Wed Aug 14 10:33:23 2019 +0000
+
+    output to stdout
+
+commit 5213cfbcdcb41a5aa714d1031b36436adeb0359c
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Wed Aug 14 10:08:18 2019 +0000
+
+    bumped changelog version
+
+commit 2875adb7221769dcd23ef701dae8b9ad24708590
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Wed Aug 14 10:07:55 2019 +0000
+
+    readme
+
+commit 01b3a0bfaeda0dad87644ad8d54c61e07dd501f7
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Wed Aug 14 09:52:53 2019 +0000
+
+    description
+
+commit 547ba91d799780487782cdd8088c556d978494e8
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Wed Aug 14 09:45:30 2019 +0000
+
+    sanity test
+
+commit dee195d89e94ff343cec60308cbbb5464d2a7b18
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Wed Aug 14 09:40:41 2019 +0000
+
+    description
+
+commit 799acad724977dea220c2228f9da0db3d6b5170e
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Wed Aug 14 09:39:43 2019 +0000
+
+    skip, if not a folder
+
+commit 6321ff5ad5938a929d4a997b4f1b03db2ac4b5fd
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Wed Aug 14 09:38:44 2019 +0000
+
+    refactoring
+
+commit 15094cab4fbbb1fd0c20bd8241ea20bd6c0bd331
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Wed Aug 14 09:36:30 2019 +0000
+
+    avoid ' character in usr/share/pam-configs; in description
+
+commit 97d1945e61053efd3b73fb9f761b3ea1c9271cdc
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Wed Aug 14 09:32:58 2019 +0000
+
+    no log needed, informative output to stdout instead
+
+commit a085d46c567b0b5dbbaddd8f3e5873d87d904c4a
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Wed Aug 14 09:31:58 2019 +0000
+
+    change priories so "pam_umask.so usergroups umask=006" runs before pam_exec.so /usr/lib/security-misc/permission-lockdown
+
+commit f8c828b69a8f52108d19af4076e718930b5dcd07
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Wed Aug 14 05:19:02 2019 -0400
+
+    output
+
+commit e5da6d9699de1d3c4aaefee7d301a4c47f33e4bd
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Wed Aug 14 05:17:54 2019 -0400
+
+    copyright
+
+commit 1595789d7c310c80196345e06b6bacc8fb7c0baf
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Wed Aug 14 05:17:16 2019 -0400
+
+    comment
+
+commit ce06fdf91103afbaf84523ce998570af733b5bbe
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Wed Aug 14 05:15:53 2019 -0400
+
+    formatting
+
+commit 21489111d107023f150988137180154ba62e1ff2
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Wed Aug 14 08:34:03 2019 +0000
+
+    run permission lockdown during pam
+    
+    https://forums.whonix.org/t/change-default-umask/7416
+
+commit 42f2d5f6664f15baebdaf200a5690cf32cdbe284
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Wed Aug 14 07:39:28 2019 +0000
+
+    description
+
+commit 52df8dc0149d597c3106daa7112a01db444e34f1
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Wed Aug 14 07:37:21 2019 +0000
+
+    optional        pam_umask.so    usergroups umask=006
+
+commit f210294f4091b6a09c902a446b125c26022c5d2a
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Wed Aug 14 07:24:24 2019 +0000
+
+    description
+
+commit dbea7d1511d8e1b2604960d37146ec931d9dfe15
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Wed Aug 14 07:22:14 2019 +0000
+
+    add hook etc/kernel/postinst.d/30_remove-system-map to remove system.map
+    
+    on kernel package upgrade;
+    
+    self-document this package: during upgrade the following will be written
+    to stdout:
+    
+    Setting up linux-image-4.19.0-5-amd64 (4.19.37-5+deb10u2) ...
+    /etc/kernel/postinst.d/30_remove-system-map:
+    removed '/boot/System.map-4.19.0-5-amd64
+
+commit f1d8cbc9fb2b800205923cce77a8e242dddd133c
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Wed Aug 14 07:02:09 2019 +0000
+
+    bumped changelog version
+
+commit 41f4441d9dc5777d4ea7424f8422164c548da091
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Wed Aug 14 07:01:47 2019 +0000
+
+    readme
+
+commit a82448d46af4fb9dce2de84025b8b820a11fae01
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Wed Aug 14 07:01:25 2019 +0000
+
+    description
+
+commit ff8c0979435b491cf462c5ef6e8e02f6d85f1d81
+Merge: 6f8acf0 a8ea379
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Wed Aug 14 06:59:50 2019 +0000
+
+    Merge remote-tracking branch 'origin/master'
+
+commit a8ea37952669b3f40a452cb580442126ec44233a
+Merge: 6f8acf0 9a49b8e
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Wed Aug 14 06:59:34 2019 +0000
+
+    Merge pull request #28 from madaidan/patch-22
+    
+    Require all loaded kernel modules to be signed with a valid key.
+
+commit 9a49b8ecbb863a995862a4d380c6a03f6c0991ac
+Author: madaidan <50278627+madaidan@users.noreply.github.com>
+Date:   Tue Aug 13 13:33:07 2019 +0000
+
+    Create 40_only_allow_signed_modules.cfg
+    
+    Require all loaded kernel modules to be signed with a valid key.
+
+commit 6f8acf06d79c77e3bee15cc8696a433271e2b7c9
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Sun Aug 11 12:07:07 2019 +0000
+
+    bumped changelog version
+
+commit 52cee9128316d649ba7ffa9600d0fdc33c99a9a9
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Sun Aug 11 11:39:32 2019 +0000
+
+    readme
+
+commit aacd9c7679b05b7ee59df484f21a24fe7aa5901d
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Sun Aug 11 10:34:38 2019 +0000
+
+    description
+
+commit c0b5c70de498d891e4edd5b9af2292909be36776
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Sun Aug 11 10:33:22 2019 +0000
+
+    description
+
+commit 2f37a66fd009c9cba423c0f95833a71c8669af46
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Sun Aug 11 10:31:29 2019 +0000
+
+    description
+
+commit e83ec79a25d09b2467e2389959d87267bab7f1f0
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Sun Aug 11 10:30:51 2019 +0000
+
+    enable usr/share/pam-configs/mkhomedir-security-misc by default
+
+commit 1eb806a03ef25bb387fa80f45dd6509925437048
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Sun Aug 11 10:29:49 2019 +0000
+
+    pam_mkhomedir.so umask=006
+
+commit c50eb3c9b07b9e54951eb08206db6d28383f6cdc
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Sun Aug 11 10:28:55 2019 +0000
+
+    add usr/share/pam-configs/mkhomedir-security-misc based on
+    /usr/share/pam-configs/mkhomedir
+
+commit 75769151cd7980042357f18c5567adab2a031049
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Sat Aug 10 11:37:02 2019 +0000
+
+    bumped changelog version
+
+commit a2fa18c38159161418edcdaacb1baad215f5d31d
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Sat Aug 10 07:07:28 2019 -0400
+
+    pam_tally2.so deny=100
+    
+    during testing, due to issues
+    
+    https://github.com/Whonix/security-misc/commit/d17e25272b9b7bbb6abc4dccd500a6b34311a7dd
+    
+    https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/12
+
+commit d17e25272b9b7bbb6abc4dccd500a6b34311a7dd
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Sat Aug 10 06:06:39 2019 -0400
+
+    effectively (not directly) add "required        pam_tally2.so debug" to /etc/pam.d/common-account
+    
+    This is required because otherwise something like "sudo bash" would count as a
+    failed login for pam_tally2 even though it was successful.
+    
+    https://bugzilla.redhat.com/show_bug.cgi?id=707660
+    
+    https://forums.whonix.org/t/restrict-root-access/7658
+
+commit 0f896a9d8d6f7c125311a0e226755f8a00214f3c
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Sat Aug 10 06:05:37 2019 -0400
+
+    add onerr=fail audit to pam_tally2
+
+commit a703865dcf736996a58e6f684fc02f0e9dfa8cc7
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Thu Aug 1 12:02:41 2019 +0000
+
+    bumped changelog version
+
+commit 1fe3036a4903588b89edd82e7097a665271fd27f
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Thu Aug 1 11:13:43 2019 +0000
+
+    readme
+
+commit e076470f68dc18908c5ab1889232aaaa0fcb9f3d
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Thu Aug 1 11:04:58 2019 +0000
+
+    renamed:    usr/share/pam-configs/usergroups -> usr/share/pam-configs/usergroups-security-misc
+
+commit 830111e99aa6f45688c4ba00a7f41ea323f15f2a
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Thu Aug 1 11:04:22 2019 +0000
+
+    split usr/share/pam-configs/security-misc
+    into
+    usr/share/pam-configs/tally2-security-misc
+    usr/share/pam-configs/wheel-security-misc
+
+commit 5d0aec1321b4f46f1834ba9ad166d2445a995fbb
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Wed Jul 31 19:12:27 2019 +0000
+
+    bumped changelog version
+
+commit 89d32402b2dd2182dc6e7788d41708eaaeeb02c1
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Wed Jul 31 14:52:29 2019 -0400
+
+    fix, do not use "," inside /usr/share/pam-configs files
+
+commit 864de10659d0145ae8883b98b1746a7debc9492a
+Author: Patrick Schleizer <adrelanos@riseup.net>
+Date:   Wed Jul 31 15:17:51 2019 +0000
+
+    bumped changelog version
+
 commit 47368ae4fccc85ab3197f07316b03c123187f9a2
 Author: Patrick Schleizer <adrelanos@riseup.net>
 Date:   Wed Jul 31 15:15:30 2019 +0000

debian/changelog

@@ -1,3 +1,57 @@
+security-misc (3:7.1-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@riseup.net>  Thu, 15 Aug 2019 15:18:02 +0000
+
+security-misc (3:7.0-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@riseup.net>  Wed, 14 Aug 2019 11:52:26 +0000
+
+security-misc (3:6.9-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@riseup.net>  Wed, 14 Aug 2019 11:13:25 +0000
+
+security-misc (3:6.8-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@riseup.net>  Wed, 14 Aug 2019 10:08:18 +0000
+
+security-misc (3:6.7-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@riseup.net>  Wed, 14 Aug 2019 07:02:09 +0000
+
+security-misc (3:6.6-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@riseup.net>  Sun, 11 Aug 2019 12:07:07 +0000
+
+security-misc (3:6.5-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@riseup.net>  Sat, 10 Aug 2019 11:37:02 +0000
+
+security-misc (3:6.4-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@riseup.net>  Thu, 01 Aug 2019 12:02:41 +0000
+
+security-misc (3:6.3-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@riseup.net>  Wed, 31 Jul 2019 19:12:27 +0000
+
 security-misc (3:6.2-1) unstable; urgency=medium
 
   * New upstream version (local package).

debian/control

@@ -13,8 +13,8 @@ Standards-Version: 4.3.0
 
 Package: security-misc
 Architecture: all
-Depends: python, libglib2.0-bin, libpam-runtime, libpam-cgfs, sudo,
- ${misc:Depends}
+Depends: python, libglib2.0-bin, libpam-runtime, sudo,
+ apparmor-profile-anondist, ${misc:Depends}
 Replaces: tcp-timestamps-disable
 Description: enhances misc security settings
  kernel hardening:
@@ -57,6 +57,9 @@ Description: enhances misc security settings
   * The SysRq key is restricted to only allow shutdowns/reboots.
  A systemd service clears System.map on boot as these contain kernel symbols
  that could be useful to an attacker.
+ /etc/kernel/postinst.d/30_remove-system-map
+ /lib/systemd/system/remove-system-map.service
+ /usr/lib/security-misc/remove-system.map
  .
   * Coredumps are disabled as they may contain important information such as
  encryption keys or passwords.
@@ -71,6 +74,11 @@ Description: enhances misc security settings
  .
   * Bluetooth is blacklisted to reduce attack surface. Bluetooth also has
  a history of [security concerns](https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns).
+ .
+  * Requires every module to be signed before being loaded. Any module that is
+ unsigned or signed with an invalid key cannot be loaded. This makes it harder
+ to load a malicious module.
+ /etc/default/grub.d/40_only_allow_signed_modules.cfg
  .
  Uncommon network protocols are blacklisted:
  These are rarely used and may have unknown vulnerabilities.
@@ -111,7 +119,7 @@ Description: enhances misc security settings
  .
   * `su` is restricted to only users within the group `sudo` which prevents
  users from using `su` to gain root access or to switch user accounts.
- /usr/share/pam-configs/security-misc
+ /usr/share/pam-configs/wheel-security-misc
  (Which results in a change in file `/etc/pam.d/common-auth`.)
  .
  * Add user `root` to group `sudo`. This is required to make above work so
@@ -119,33 +127,49 @@ Description: enhances misc security settings
  debian/security-misc.postinst
  .
  * Lock user accounts after 5 failed login attempts using pam_tally2.
- /usr/share/pam-configs/security-misc
+ /usr/share/pam-configs/tally2-security-misc
  .
   * Logging into the root account from a virtual, serial, whatnot console is
  prevented by shipping an existing and empty /etc/securetty.
  (Deletion of /etc/securetty has a different effect.)
  /etc/securetty.security-misc
  .
+ informational output during PAM:
+ .
+  * Show failed and remaining password attempts.
+  * Document unlock procedure if Linux user account got locked.
+  * Point out, that there is no password feedback for `su`.
+  * Explain locked (root) account if locked.
+  * /usr/share/pam-configs/tally2-security-misc
+  * /usr/lib/security-misc/pam_tally2-info
+ .
  access rights restrictions:
  .
   * The default umask is changed to 006. This allows only the owner and group
  to read and write to newly created files.
  /etc/login.defs.security-misc
+ /usr/share/pam-configs/usergroups-security-misc
  .
   * Enables pam_umask.so usergroups so group permissions are same as user
  permissions. Debian by default uses User Private Groups (UPG).
  https://wiki.debian.org/UserPrivateGroups
- /usr/share/pam-configs/usergroups
+ /usr/share/pam-configs/usergroups-security-misc
+ .
+  * Create home directory on login with umask 006 using
+ pam_mkhomedir.so umask=006
+ /usr/share/pam-configs/mkhomedir-security-misc
  .
   * Removes read, write and execute access for others for all users who have
  home folders under folder /home by running for example
  "chmod o-rwx /home/user"
- during package installation or upgrade. This will be done only once per folder
- in folder /home so users who wish to relax file permissions are free to do so.
- This is to protect previously created files in user home folder which were
- previously created with lax file permissions prior installation of this
+ during package installation, upgrade or pam. This will be done only once per
+ folder in folder /home so users who wish to relax file permissions are free to
+ do so. This is to protect previously created files in user home folder which
+ were previously created with lax file permissions prior installation of this
  package.
  debian/security-misc.postinst
+ /usr/share/pam-configs/permission-lockdown-security-misc
+ /usr/lib/security-misc/permission-lockdown
  .
  access rights relaxations:
  .

debian/security-misc.postinst

@@ -15,32 +15,6 @@ true "
 #####################################################################
 "
 
-home_folder_access_rights_lockdown() {
-   mkdir -p /var/cache/security-misc/state-files
-
-   shopt -s nullglob
-
-   ## Not using dotglob.
-   ## touch /var/cache/security-misc/state-files//home/.Trash
-   ## touch: cannot touch '/var/cache/security-misc/state-files//home/.Trash': No such file or directory
-
-   local folder_name base_name
-
-   for folder_name in /home/* ; do
-      base_name="$(basename "$folder_name")"
-      if [ -f "/var/cache/security-misc/state-files/$base_name" ]; then
-         continue
-      fi
-      chmod o-rwx "$folder_name"
-      ## Create a state-file so we do this only once.
-      ## Therefore a user who will manually undo this, will not get
-      ## annoyed by this being done over and over again.
-      touch "/var/cache/security-misc/state-files/$base_name"
-   done
-
-   shopt -u nullglob
-}
-
 case "$1" in
     configure)
         glib-compile-schemas /usr/share/glib-2.0/schemas || true
@@ -59,7 +33,7 @@ addgroup root sudo
 
 pam-auth-update --package
 
-home_folder_access_rights_lockdown
+/usr/lib/security-misc/permission-lockdown
 
 true "INFO: debhelper beginning here."
 

etc/default/grub.d/40_only_allow_signed_modules.cfg

@@ -0,0 +1,3 @@
+# Requires every module to be signed before being loaded. Any module that is unsigned or signed with an invalid key cannot be loaded.
+# This makes it harder to load a malicious module.
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1"

etc/kernel/postinst.d/30_remove-system-map

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+if test -x /usr/lib/security-misc/remove-system.map ; then
+   /usr/lib/security-misc/remove-system.map
+fi

usr/lib/security-misc/pam_tally2-info

@@ -0,0 +1,109 @@
+#!/bin/bash
+
+if [ ! -r /var/log/auth.log ]; then
+   exit 0
+fi
+
+pam_tally2_output="$(pam_tally2 --user "$PAM_USER")"
+
+if [ "$pam_tally2_output" = "" ]; then
+   true "$0: no failed login"
+   exit 0
+fi
+
+## Example:
+#Login           Failures Latest failure     From
+#user                0
+
+pam_tally2_output_last_line="$(echo "$pam_tally2_output" | tail -1)"
+## Example:
+#user                0
+
+arr=($pam_tally2_output_last_line)
+user_name="${arr[0]}"
+failed_login_counter="${arr[1]}"
+
+if [ ! "$PAM_USER" = "$user_name" ]; then
+   echo "$0: ERROR: PAM_USER: $PAM_USER does not equal user_name: '$user_name'." >&2
+   echo "$0: ERROR: Please report this bug." >&2
+   echo "" >&2
+   exit 0
+fi
+
+if [ "$failed_login_counter" = "0" ]; then
+   true "$0: INFO: Failed login counter is 0, ok."
+   exit 0
+fi
+
+temp="$(grep pam_tally2 /var/log/auth.log | grep ", deny" | tail -1)"
+last_line_of_user="$(echo "$temp" | grep "pam_tally2")"
+last_line_of_user="$(echo "$temp" | grep "): user $PAM_USER")"
+
+#last_line_of_user="$(grep pam_tally2 /var/log/auth.log | grep "): user $PAM_USER " | tail -1)"
+## Example:
+#Aug 15 03:47:50 localhost sudo: pam_tally2(sudo:auth): user user (1000) tally 1, deny 10
+
+temp="$(echo "$last_line_of_user" | sed 's/.*tally //')"
+temp="${temp/", deny"/""}"
+## Example:
+#1 100
+
+arr=($temp)
+tally="${arr[0]}"
+deny="${arr[1]}"
+
+if [[ "$tally" == *[!0-9]* ]]; then
+   echo "$0: ERROR: tally is not numeric." >&2
+   echo "$0: ERROR: Please report this bug." >&2
+   echo "" >&2
+   exit 0
+fi
+
+if [[ "$deny" == *[!0-9]* ]]; then
+   echo "$0: ERROR: deny is not numeric." >&2
+   echo "$0: ERROR: Please report this bug." >&2
+   echo "" >&2
+   exit 0
+fi
+
+remaining_attempts="$(( $deny - $tally ))"
+
+## Thanks to:
+if [ "$(passwd -S "$PAM_USER" | cut -d ' ' -f 2)" = "P" ]; then
+   true "INFO: Password not locked."
+else
+   echo "$0: ERROR: Password for user \"$PAM_USER\" is locked." >&2
+   if [ "$PAM_USER" = "root" ]; then
+      echo "$0: ERROR: root account is locked by default. See:" >&2
+      echo "https://www.whonix.org/wiki/root" >&2
+      echo "" >&2
+   fi
+   exit 0
+fi
+
+if [ "$remaining_attempts" -le "0" ]; then
+   echo "$0: ERROR: Login blocked after $tally attempts." >&2
+   echo "$0: To unlock, run the following command as superuser:" >&2
+   echo "$0: (If you still have a sudo/root shell somewhere.)" >&2
+   echo "" >&2
+   echo "pam_tally2 --quiet -r --user $PAM_USER" >&2
+   echo "" >&2
+   echo "$0: However, most likely unlock procedure is required." >&2
+   echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2
+   echo "$0: See also:" >&2
+   echo "https://www.whonix.org/wiki/root#unlock" >&2
+   echo "" >&2
+   exit 0
+fi
+
+echo "$0: WARNING: $tally failed login attempts." >&2
+echo "$0: Login will be blocked after $deny attempts." >&2
+echo "$0: You have $remaining_attempts more attempts before unlock procedure is required." >&2
+echo "" >&2
+
+if [ "$PAM_SERVICE" = "su" ]; then
+   echo "$0: NOTE: Type the password. When entering the password, no password feedback (no asterisk (\"*\") symbol) will be shown." >&2
+   echo "" >&2
+fi
+
+exit 0

usr/lib/security-misc/permission-lockdown

@@ -0,0 +1,68 @@
+#!/bin/bash
+
+## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+## Doing this for all users would create many issues.
+# /usr/lib/security-misc/permission-lockdown: user: root | chmod o-rwx "/root"
+# /usr/lib/security-misc/permission-lockdown: user: daemon | chmod o-rwx "/usr/sbin"
+# /usr/lib/security-misc/permission-lockdown: user: bin | chmod o-rwx "/bin"
+# /usr/lib/security-misc/permission-lockdown: user: sys | chmod o-rwx "/dev"
+# /usr/lib/security-misc/permission-lockdown: user: sync | chmod o-rwx "/bin"
+# /usr/lib/security-misc/permission-lockdown: user: games | chmod o-rwx "/usr/games"
+# /usr/lib/security-misc/permission-lockdown: user: man | chmod o-rwx "/var/cache/man"
+# /usr/lib/security-misc/permission-lockdown: user: mail | chmod o-rwx "/var/mail"
+# /usr/lib/security-misc/permission-lockdown: user: proxy | chmod o-rwx "/bin"
+# /usr/lib/security-misc/permission-lockdown: user: backup | chmod o-rwx "/var/backups"
+# /usr/lib/security-misc/permission-lockdown: user: systemd-timesync | chmod o-rwx "/run/systemd"
+# /usr/lib/security-misc/permission-lockdown: user: systemd-network | chmod o-rwx "/run/systemd/netif"
+# /usr/lib/security-misc/permission-lockdown: user: messagebus | chmod o-rwx "/var/run/dbus"
+# /usr/lib/security-misc/permission-lockdown: user: tinyproxy | chmod o-rwx "/run/tinyproxy"
+# /usr/lib/security-misc/permission-lockdown: user: rtkit | chmod o-rwx "/proc"
+# /usr/lib/security-misc/permission-lockdown: user: colord | chmod o-rwx "/var/lib/colord"
+# /usr/lib/security-misc/permission-lockdown: user: Debian-exim | chmod o-rwx "/var/spool/exim4"
+# /usr/lib/security-misc/permission-lockdown: user: debian-tor | chmod o-rwx "/var/lib/tor"
+# /usr/lib/security-misc/permission-lockdown: user: stunnel4 | chmod o-rwx "/var/run/stunnel4"
+# /usr/lib/security-misc/permission-lockdown: user: iodine | chmod o-rwx "/var/run/iodine"
+# /usr/lib/security-misc/permission-lockdown: user: apt-cacher-ng | chmod o-rwx "/var/cache/apt-cacher-ng"
+# /usr/lib/security-misc/permission-lockdown: user: statd | chmod o-rwx "/var/lib/nfs"
+# /usr/lib/security-misc/permission-lockdown: user: timidity | chmod o-rwx "/etc/timidity"
+# /usr/lib/security-misc/permission-lockdown: user: uuidd | chmod o-rwx "/run/uuidd"
+# /usr/lib/security-misc/permission-lockdown: user: _rpc | chmod o-rwx "/run/rpcbind"
+# /usr/lib/security-misc/permission-lockdown: user: geoclue | chmod o-rwx "/var/lib/geoclue"
+
+home_folder_access_rights_lockdown() {
+   shopt -s nullglob
+
+   ## Not using dotglob.
+   ## touch /var/cache/security-misc/state-files//home/.Trash
+   ## touch: cannot touch '/var/cache/security-misc/state-files//home/.Trash': No such file or directory
+
+   local folder_name base_name
+
+   for folder_name in /home/* ; do
+      base_name="$(basename "$folder_name")"
+      if [ -f "/var/cache/security-misc/state-files/$base_name" ]; then
+         continue
+      fi
+      if [ ! -d "$folder_name" ]; then
+         continue
+      fi
+      if [ "$folder_name" = "/home/" ]; then
+         continue
+      fi
+      mkdir -p /var/cache/security-misc/state-files
+      echo "$0: chmod o-rwx \"$folder_name\""
+      chmod o-rwx "$folder_name"
+      ## Create a state-file so we do this only once.
+      ## Therefore a user who will manually undo this, will not get
+      ## annoyed by this being done over and over again.
+      touch "/var/cache/security-misc/state-files/$base_name"
+   done
+
+   shopt -u nullglob
+}
+
+home_folder_access_rights_lockdown
+
+exit 0

usr/lib/security-misc/remove-system.map

@@ -9,6 +9,6 @@ shopt -s nullglob
 for filename in /boot/System.map-*
 do
   if [ -f "${filename}" ]; then
-    rm -f "${filename}"
+    rm --verbose --force "${filename}"
   fi
 done

usr/share/pam-configs/mkhomedir-security-misc

@@ -0,0 +1,7 @@
+Name: Create home directory on login (by package security-misc)
+Default: yes
+Priority: 100
+Session-Type: Additional
+Session-Interactive-Only: yes
+Session:
+	optional	pam_mkhomedir.so umask=006

usr/share/pam-configs/permission-lockdown-security-misc

@@ -0,0 +1,6 @@
+Name: prevent users from reading other users /home/user folders (by package security-misc)
+Default: yes
+Priority: 50
+Session-Type: Additional
+Session:
+	optional	pam_exec.so	debug stdout seteuid /usr/lib/security-misc/permission-lockdown

usr/share/pam-configs/security-misc

@@ -1,7 +0,0 @@
-Name: group sudo membership required to use su, lock accounts after 5 failed authentication attempts (by package security-misc)
-Default: yes
-Priority: 260
-Auth-Type: Primary
-Auth:
-	required	pam_wheel.so group=sudo debug
-	required	pam_tally2.so deny=5 debug

usr/share/pam-configs/tally2-security-misc

@@ -0,0 +1,10 @@
+Name: lock accounts after 5 failed authentication attempts (by package security-misc)
+Default: yes
+Priority: 260
+Auth-Type: Primary
+Auth:
+	optional	pam_exec.so	debug stdout seteuid /usr/lib/security-misc/pam_tally2-info
+	requisite	pam_tally2.so even_deny_root deny=100 onerr=fail audit debug
+Account-Type: Primary
+Account:
+	requisite	pam_tally2.so debug

usr/share/pam-configs/usergroups-security-misc

@@ -3,4 +3,4 @@ Default: yes
 Priority: 256
 Session-Type: Additional
 Session:
-	optional	pam_umask.so	usergroups
+	optional	pam_umask.so	usergroups umask=006

usr/share/pam-configs/wheel-security-misc

@@ -0,0 +1,6 @@
+Name: group sudo membership required to use su (by package security-misc)
+Default: yes
+Priority: 270
+Auth-Type: Primary
+Auth:
+	requisite	pam_wheel.so group=sudo debug