mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-01-26 02:15:54 -05:00
Merge branch 'master' into patch-21
This commit is contained in:
commit
85502ad430
52
README.md
52
README.md
@ -40,6 +40,9 @@ KASLR effectiveness.
|
||||
* The SysRq key is restricted to only allow shutdowns/reboots.
|
||||
A systemd service clears System.map on boot as these contain kernel symbols
|
||||
that could be useful to an attacker.
|
||||
/etc/kernel/postinst.d/30_remove-system-map
|
||||
/lib/systemd/system/remove-system-map.service
|
||||
/usr/lib/security-misc/remove-system.map
|
||||
|
||||
* Coredumps are disabled as they may contain important information such as
|
||||
encryption keys or passwords.
|
||||
@ -52,6 +55,11 @@ for DMA (Direct Memory Access) attacks.
|
||||
* The kernel now panics on oopses to prevent it from continuing running a
|
||||
flawed process.
|
||||
|
||||
Requires every module to be signed before being loaded. Any module that is
|
||||
unsigned or signed with an invalid key cannot be loaded. This makes it harder
|
||||
to load a malicious module.
|
||||
/etc/default/grub.d/40_only_allow_signed_modules.cfg
|
||||
|
||||
Uncommon network protocols are blacklisted:
|
||||
These are rarely used and may have unknown vulnerabilities.
|
||||
/etc/modprobe.d/uncommon-network-protocols.conf
|
||||
@ -91,7 +99,7 @@ restricts access to the root account:
|
||||
|
||||
* `su` is restricted to only users within the group `sudo` which prevents
|
||||
users from using `su` to gain root access or to switch user accounts.
|
||||
/usr/share/pam-configs/security-misc
|
||||
/usr/share/pam-configs/wheel-security-misc
|
||||
(Which results in a change in file `/etc/pam.d/common-auth`.)
|
||||
|
||||
* Add user `root` to group `sudo`. This is required to make above work so
|
||||
@ -99,33 +107,49 @@ login as a user in a virtual console is still possible.
|
||||
debian/security-misc.postinst
|
||||
|
||||
* Lock user accounts after 5 failed login attempts using pam_tally2.
|
||||
/usr/share/pam-configs/security-misc
|
||||
/usr/share/pam-configs/tally2-security-misc
|
||||
|
||||
* Logging into the root account from a virtual, serial, whatnot console is
|
||||
prevented by shipping an existing and empty /etc/securetty.
|
||||
(Deletion of /etc/securetty has a different effect.)
|
||||
/etc/securetty.security-misc
|
||||
|
||||
informational output during PAM:
|
||||
|
||||
* Show failed and remaining password attempts.
|
||||
* Document unlock procedure if Linux user account got locked.
|
||||
* Point out, that there is no password feedback for `su`.
|
||||
* Explain locked (root) account if locked.
|
||||
* /usr/share/pam-configs/tally2-security-misc
|
||||
* /usr/lib/security-misc/pam_tally2-info
|
||||
|
||||
access rights restrictions:
|
||||
|
||||
* The default umask is changed to 006. This allows only the owner and group
|
||||
to read and write to newly created files.
|
||||
/etc/login.defs.security-misc
|
||||
/usr/share/pam-configs/usergroups-security-misc
|
||||
|
||||
* Enables pam_umask.so usergroups so group permissions are same as user
|
||||
permissions. Debian by default uses User Private Groups (UPG).
|
||||
https://wiki.debian.org/UserPrivateGroups
|
||||
/usr/share/pam-configs/usergroups
|
||||
/usr/share/pam-configs/usergroups-security-misc
|
||||
|
||||
* Create home directory on login with umask 006 using
|
||||
pam_mkhomedir.so umask=006
|
||||
/usr/share/pam-configs/mkhomedir-security-misc
|
||||
|
||||
* Removes read, write and execute access for others for all users who have
|
||||
home folders under folder /home by running for example
|
||||
"chmod o-rwx /home/user"
|
||||
during package installation or upgrade. This will be done only once per folder
|
||||
in folder /home so users who wish to relax file permissions are free to do so.
|
||||
This is to protect previously created files in user home folder which were
|
||||
previously created with lax file permissions prior installation of this
|
||||
during package installation, upgrade or pam. This will be done only once per
|
||||
folder in folder /home so users who wish to relax file permissions are free to
|
||||
do so. This is to protect previously created files in user home folder which
|
||||
were previously created with lax file permissions prior installation of this
|
||||
package.
|
||||
debian/security-misc.postinst
|
||||
/usr/share/pam-configs/permission-lockdown-security-misc
|
||||
/usr/lib/security-misc/permission-lockdown
|
||||
|
||||
access rights relaxations:
|
||||
|
||||
@ -186,16 +210,24 @@ Application specific hardening:
|
||||
* Deactivates thumbnails in Thunar.
|
||||
## How to install `security-misc` using apt-get ##
|
||||
|
||||
1\. Add [Whonix's Signing Key](https://www.whonix.org/wiki/Whonix_Signing_Key).
|
||||
1\. Download [Whonix's Signing Key]().
|
||||
|
||||
```
|
||||
sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg adv --keyserver hkp://ipv4.pool.sks-keyservers.net:80 --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA
|
||||
wget https://www.whonix.org/patrick.asc
|
||||
```
|
||||
|
||||
Users can [check Whonix Signing Key](https://www.whonix.org/wiki/Whonix_Signing_Key) for better security.
|
||||
|
||||
2\. Add Whonix's signing key.
|
||||
|
||||
```
|
||||
sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg add ~/patrick.asc
|
||||
```
|
||||
|
||||
3\. Add Whonix's APT repository.
|
||||
|
||||
```
|
||||
echo "deb http://deb.whonix.org buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list
|
||||
echo "deb https://deb.whonix.org buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list
|
||||
```
|
||||
|
||||
4\. Update your package lists.
|
||||
|
@ -1,3 +1,368 @@
|
||||
commit a11e3cea9eb160ba84dbc273ea4cb48bc687158f
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Thu Aug 15 15:08:48 2019 +0000
|
||||
|
||||
readme
|
||||
|
||||
commit ff9bc1d7ea81a8507f44d9bb1301b9665614ebdd
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Thu Aug 15 13:37:28 2019 +0000
|
||||
|
||||
informational output during PAM:
|
||||
|
||||
* Show failed and remaining password attempts.
|
||||
* Document unlock procedure if Linux user account got locked.
|
||||
* Point out, that there is no password feedback for `su`.
|
||||
* Explain locked (root) account if locked.
|
||||
* /usr/share/pam-configs/tally2-security-misc
|
||||
* /usr/lib/security-misc/pam_tally2-info
|
||||
|
||||
commit 454e1358220abf75def0d88a22426086a55c0802
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Thu Aug 15 07:33:41 2019 +0000
|
||||
|
||||
pam_tally2.so even_deny_root
|
||||
|
||||
commit 63b476221c7b9ece6b99f9e194fab80e300275d9
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Thu Aug 15 07:30:56 2019 +0000
|
||||
|
||||
use requisite rather than required to avoid asking for password needlessly
|
||||
|
||||
if login will fail anyhow
|
||||
|
||||
commit ce4a30d3cecb7e9bddb96c79aab871804cb90bd4
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Wed Aug 14 11:52:26 2019 +0000
|
||||
|
||||
bumped changelog version
|
||||
|
||||
commit a7c25a451c78f7b9a5720e1b6fc7d168eb0afa4f
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Wed Aug 14 11:50:53 2019 +0000
|
||||
|
||||
remove unneeded dependency on libpam-cgfs
|
||||
|
||||
commit 633854c6bec439af9718439c8207012322800166
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Wed Aug 14 11:13:25 2019 +0000
|
||||
|
||||
bumped changelog version
|
||||
|
||||
commit 0feb54b28e90b5c4cfcd529914a3892362c34966
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Wed Aug 14 11:10:18 2019 +0000
|
||||
|
||||
add Depends: apparmor-profile-anondist to fix apparmor issue
|
||||
|
||||
sudo[19806]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied
|
||||
sudo[18961]: pam_exec(sudo:session): /usr/lib/security-misc/permission-lockdown failed: exit code 13
|
||||
kernel: audit: type=1400 audit(1565780860.972:224): apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=19806 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
|
||||
|
||||
commit 8fdc77fed553d7ba6123d738b9cb3efe98f3f08f
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Wed Aug 14 10:33:23 2019 +0000
|
||||
|
||||
output to stdout
|
||||
|
||||
commit 5213cfbcdcb41a5aa714d1031b36436adeb0359c
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Wed Aug 14 10:08:18 2019 +0000
|
||||
|
||||
bumped changelog version
|
||||
|
||||
commit 2875adb7221769dcd23ef701dae8b9ad24708590
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Wed Aug 14 10:07:55 2019 +0000
|
||||
|
||||
readme
|
||||
|
||||
commit 01b3a0bfaeda0dad87644ad8d54c61e07dd501f7
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Wed Aug 14 09:52:53 2019 +0000
|
||||
|
||||
description
|
||||
|
||||
commit 547ba91d799780487782cdd8088c556d978494e8
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Wed Aug 14 09:45:30 2019 +0000
|
||||
|
||||
sanity test
|
||||
|
||||
commit dee195d89e94ff343cec60308cbbb5464d2a7b18
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Wed Aug 14 09:40:41 2019 +0000
|
||||
|
||||
description
|
||||
|
||||
commit 799acad724977dea220c2228f9da0db3d6b5170e
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Wed Aug 14 09:39:43 2019 +0000
|
||||
|
||||
skip, if not a folder
|
||||
|
||||
commit 6321ff5ad5938a929d4a997b4f1b03db2ac4b5fd
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Wed Aug 14 09:38:44 2019 +0000
|
||||
|
||||
refactoring
|
||||
|
||||
commit 15094cab4fbbb1fd0c20bd8241ea20bd6c0bd331
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Wed Aug 14 09:36:30 2019 +0000
|
||||
|
||||
avoid ' character in usr/share/pam-configs; in description
|
||||
|
||||
commit 97d1945e61053efd3b73fb9f761b3ea1c9271cdc
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Wed Aug 14 09:32:58 2019 +0000
|
||||
|
||||
no log needed, informative output to stdout instead
|
||||
|
||||
commit a085d46c567b0b5dbbaddd8f3e5873d87d904c4a
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Wed Aug 14 09:31:58 2019 +0000
|
||||
|
||||
change priories so "pam_umask.so usergroups umask=006" runs before pam_exec.so /usr/lib/security-misc/permission-lockdown
|
||||
|
||||
commit f8c828b69a8f52108d19af4076e718930b5dcd07
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Wed Aug 14 05:19:02 2019 -0400
|
||||
|
||||
output
|
||||
|
||||
commit e5da6d9699de1d3c4aaefee7d301a4c47f33e4bd
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Wed Aug 14 05:17:54 2019 -0400
|
||||
|
||||
copyright
|
||||
|
||||
commit 1595789d7c310c80196345e06b6bacc8fb7c0baf
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Wed Aug 14 05:17:16 2019 -0400
|
||||
|
||||
comment
|
||||
|
||||
commit ce06fdf91103afbaf84523ce998570af733b5bbe
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Wed Aug 14 05:15:53 2019 -0400
|
||||
|
||||
formatting
|
||||
|
||||
commit 21489111d107023f150988137180154ba62e1ff2
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Wed Aug 14 08:34:03 2019 +0000
|
||||
|
||||
run permission lockdown during pam
|
||||
|
||||
https://forums.whonix.org/t/change-default-umask/7416
|
||||
|
||||
commit 42f2d5f6664f15baebdaf200a5690cf32cdbe284
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Wed Aug 14 07:39:28 2019 +0000
|
||||
|
||||
description
|
||||
|
||||
commit 52df8dc0149d597c3106daa7112a01db444e34f1
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Wed Aug 14 07:37:21 2019 +0000
|
||||
|
||||
optional pam_umask.so usergroups umask=006
|
||||
|
||||
commit f210294f4091b6a09c902a446b125c26022c5d2a
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Wed Aug 14 07:24:24 2019 +0000
|
||||
|
||||
description
|
||||
|
||||
commit dbea7d1511d8e1b2604960d37146ec931d9dfe15
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Wed Aug 14 07:22:14 2019 +0000
|
||||
|
||||
add hook etc/kernel/postinst.d/30_remove-system-map to remove system.map
|
||||
|
||||
on kernel package upgrade;
|
||||
|
||||
self-document this package: during upgrade the following will be written
|
||||
to stdout:
|
||||
|
||||
Setting up linux-image-4.19.0-5-amd64 (4.19.37-5+deb10u2) ...
|
||||
/etc/kernel/postinst.d/30_remove-system-map:
|
||||
removed '/boot/System.map-4.19.0-5-amd64
|
||||
|
||||
commit f1d8cbc9fb2b800205923cce77a8e242dddd133c
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Wed Aug 14 07:02:09 2019 +0000
|
||||
|
||||
bumped changelog version
|
||||
|
||||
commit 41f4441d9dc5777d4ea7424f8422164c548da091
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Wed Aug 14 07:01:47 2019 +0000
|
||||
|
||||
readme
|
||||
|
||||
commit a82448d46af4fb9dce2de84025b8b820a11fae01
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Wed Aug 14 07:01:25 2019 +0000
|
||||
|
||||
description
|
||||
|
||||
commit ff8c0979435b491cf462c5ef6e8e02f6d85f1d81
|
||||
Merge: 6f8acf0 a8ea379
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Wed Aug 14 06:59:50 2019 +0000
|
||||
|
||||
Merge remote-tracking branch 'origin/master'
|
||||
|
||||
commit a8ea37952669b3f40a452cb580442126ec44233a
|
||||
Merge: 6f8acf0 9a49b8e
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Wed Aug 14 06:59:34 2019 +0000
|
||||
|
||||
Merge pull request #28 from madaidan/patch-22
|
||||
|
||||
Require all loaded kernel modules to be signed with a valid key.
|
||||
|
||||
commit 9a49b8ecbb863a995862a4d380c6a03f6c0991ac
|
||||
Author: madaidan <50278627+madaidan@users.noreply.github.com>
|
||||
Date: Tue Aug 13 13:33:07 2019 +0000
|
||||
|
||||
Create 40_only_allow_signed_modules.cfg
|
||||
|
||||
Require all loaded kernel modules to be signed with a valid key.
|
||||
|
||||
commit 6f8acf06d79c77e3bee15cc8696a433271e2b7c9
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Sun Aug 11 12:07:07 2019 +0000
|
||||
|
||||
bumped changelog version
|
||||
|
||||
commit 52cee9128316d649ba7ffa9600d0fdc33c99a9a9
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Sun Aug 11 11:39:32 2019 +0000
|
||||
|
||||
readme
|
||||
|
||||
commit aacd9c7679b05b7ee59df484f21a24fe7aa5901d
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Sun Aug 11 10:34:38 2019 +0000
|
||||
|
||||
description
|
||||
|
||||
commit c0b5c70de498d891e4edd5b9af2292909be36776
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Sun Aug 11 10:33:22 2019 +0000
|
||||
|
||||
description
|
||||
|
||||
commit 2f37a66fd009c9cba423c0f95833a71c8669af46
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Sun Aug 11 10:31:29 2019 +0000
|
||||
|
||||
description
|
||||
|
||||
commit e83ec79a25d09b2467e2389959d87267bab7f1f0
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Sun Aug 11 10:30:51 2019 +0000
|
||||
|
||||
enable usr/share/pam-configs/mkhomedir-security-misc by default
|
||||
|
||||
commit 1eb806a03ef25bb387fa80f45dd6509925437048
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Sun Aug 11 10:29:49 2019 +0000
|
||||
|
||||
pam_mkhomedir.so umask=006
|
||||
|
||||
commit c50eb3c9b07b9e54951eb08206db6d28383f6cdc
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Sun Aug 11 10:28:55 2019 +0000
|
||||
|
||||
add usr/share/pam-configs/mkhomedir-security-misc based on
|
||||
/usr/share/pam-configs/mkhomedir
|
||||
|
||||
commit 75769151cd7980042357f18c5567adab2a031049
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Sat Aug 10 11:37:02 2019 +0000
|
||||
|
||||
bumped changelog version
|
||||
|
||||
commit a2fa18c38159161418edcdaacb1baad215f5d31d
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Sat Aug 10 07:07:28 2019 -0400
|
||||
|
||||
pam_tally2.so deny=100
|
||||
|
||||
during testing, due to issues
|
||||
|
||||
https://github.com/Whonix/security-misc/commit/d17e25272b9b7bbb6abc4dccd500a6b34311a7dd
|
||||
|
||||
https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/12
|
||||
|
||||
commit d17e25272b9b7bbb6abc4dccd500a6b34311a7dd
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Sat Aug 10 06:06:39 2019 -0400
|
||||
|
||||
effectively (not directly) add "required pam_tally2.so debug" to /etc/pam.d/common-account
|
||||
|
||||
This is required because otherwise something like "sudo bash" would count as a
|
||||
failed login for pam_tally2 even though it was successful.
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=707660
|
||||
|
||||
https://forums.whonix.org/t/restrict-root-access/7658
|
||||
|
||||
commit 0f896a9d8d6f7c125311a0e226755f8a00214f3c
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Sat Aug 10 06:05:37 2019 -0400
|
||||
|
||||
add onerr=fail audit to pam_tally2
|
||||
|
||||
commit a703865dcf736996a58e6f684fc02f0e9dfa8cc7
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Thu Aug 1 12:02:41 2019 +0000
|
||||
|
||||
bumped changelog version
|
||||
|
||||
commit 1fe3036a4903588b89edd82e7097a665271fd27f
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Thu Aug 1 11:13:43 2019 +0000
|
||||
|
||||
readme
|
||||
|
||||
commit e076470f68dc18908c5ab1889232aaaa0fcb9f3d
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Thu Aug 1 11:04:58 2019 +0000
|
||||
|
||||
renamed: usr/share/pam-configs/usergroups -> usr/share/pam-configs/usergroups-security-misc
|
||||
|
||||
commit 830111e99aa6f45688c4ba00a7f41ea323f15f2a
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Thu Aug 1 11:04:22 2019 +0000
|
||||
|
||||
split usr/share/pam-configs/security-misc
|
||||
into
|
||||
usr/share/pam-configs/tally2-security-misc
|
||||
usr/share/pam-configs/wheel-security-misc
|
||||
|
||||
commit 5d0aec1321b4f46f1834ba9ad166d2445a995fbb
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Wed Jul 31 19:12:27 2019 +0000
|
||||
|
||||
bumped changelog version
|
||||
|
||||
commit 89d32402b2dd2182dc6e7788d41708eaaeeb02c1
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Wed Jul 31 14:52:29 2019 -0400
|
||||
|
||||
fix, do not use "," inside /usr/share/pam-configs files
|
||||
|
||||
commit 864de10659d0145ae8883b98b1746a7debc9492a
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Wed Jul 31 15:17:51 2019 +0000
|
||||
|
||||
bumped changelog version
|
||||
|
||||
commit 47368ae4fccc85ab3197f07316b03c123187f9a2
|
||||
Author: Patrick Schleizer <adrelanos@riseup.net>
|
||||
Date: Wed Jul 31 15:15:30 2019 +0000
|
||||
|
54
debian/changelog
vendored
54
debian/changelog
vendored
@ -1,3 +1,57 @@
|
||||
security-misc (3:7.1-1) unstable; urgency=medium
|
||||
|
||||
* New upstream version (local package).
|
||||
|
||||
-- Patrick Schleizer <adrelanos@riseup.net> Thu, 15 Aug 2019 15:18:02 +0000
|
||||
|
||||
security-misc (3:7.0-1) unstable; urgency=medium
|
||||
|
||||
* New upstream version (local package).
|
||||
|
||||
-- Patrick Schleizer <adrelanos@riseup.net> Wed, 14 Aug 2019 11:52:26 +0000
|
||||
|
||||
security-misc (3:6.9-1) unstable; urgency=medium
|
||||
|
||||
* New upstream version (local package).
|
||||
|
||||
-- Patrick Schleizer <adrelanos@riseup.net> Wed, 14 Aug 2019 11:13:25 +0000
|
||||
|
||||
security-misc (3:6.8-1) unstable; urgency=medium
|
||||
|
||||
* New upstream version (local package).
|
||||
|
||||
-- Patrick Schleizer <adrelanos@riseup.net> Wed, 14 Aug 2019 10:08:18 +0000
|
||||
|
||||
security-misc (3:6.7-1) unstable; urgency=medium
|
||||
|
||||
* New upstream version (local package).
|
||||
|
||||
-- Patrick Schleizer <adrelanos@riseup.net> Wed, 14 Aug 2019 07:02:09 +0000
|
||||
|
||||
security-misc (3:6.6-1) unstable; urgency=medium
|
||||
|
||||
* New upstream version (local package).
|
||||
|
||||
-- Patrick Schleizer <adrelanos@riseup.net> Sun, 11 Aug 2019 12:07:07 +0000
|
||||
|
||||
security-misc (3:6.5-1) unstable; urgency=medium
|
||||
|
||||
* New upstream version (local package).
|
||||
|
||||
-- Patrick Schleizer <adrelanos@riseup.net> Sat, 10 Aug 2019 11:37:02 +0000
|
||||
|
||||
security-misc (3:6.4-1) unstable; urgency=medium
|
||||
|
||||
* New upstream version (local package).
|
||||
|
||||
-- Patrick Schleizer <adrelanos@riseup.net> Thu, 01 Aug 2019 12:02:41 +0000
|
||||
|
||||
security-misc (3:6.3-1) unstable; urgency=medium
|
||||
|
||||
* New upstream version (local package).
|
||||
|
||||
-- Patrick Schleizer <adrelanos@riseup.net> Wed, 31 Jul 2019 19:12:27 +0000
|
||||
|
||||
security-misc (3:6.2-1) unstable; urgency=medium
|
||||
|
||||
* New upstream version (local package).
|
||||
|
42
debian/control
vendored
42
debian/control
vendored
@ -13,8 +13,8 @@ Standards-Version: 4.3.0
|
||||
|
||||
Package: security-misc
|
||||
Architecture: all
|
||||
Depends: python, libglib2.0-bin, libpam-runtime, libpam-cgfs, sudo,
|
||||
${misc:Depends}
|
||||
Depends: python, libglib2.0-bin, libpam-runtime, sudo,
|
||||
apparmor-profile-anondist, ${misc:Depends}
|
||||
Replaces: tcp-timestamps-disable
|
||||
Description: enhances misc security settings
|
||||
kernel hardening:
|
||||
@ -57,6 +57,9 @@ Description: enhances misc security settings
|
||||
* The SysRq key is restricted to only allow shutdowns/reboots.
|
||||
A systemd service clears System.map on boot as these contain kernel symbols
|
||||
that could be useful to an attacker.
|
||||
/etc/kernel/postinst.d/30_remove-system-map
|
||||
/lib/systemd/system/remove-system-map.service
|
||||
/usr/lib/security-misc/remove-system.map
|
||||
.
|
||||
* Coredumps are disabled as they may contain important information such as
|
||||
encryption keys or passwords.
|
||||
@ -71,6 +74,11 @@ Description: enhances misc security settings
|
||||
.
|
||||
* Bluetooth is blacklisted to reduce attack surface. Bluetooth also has
|
||||
a history of [security concerns](https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns).
|
||||
.
|
||||
* Requires every module to be signed before being loaded. Any module that is
|
||||
unsigned or signed with an invalid key cannot be loaded. This makes it harder
|
||||
to load a malicious module.
|
||||
/etc/default/grub.d/40_only_allow_signed_modules.cfg
|
||||
.
|
||||
Uncommon network protocols are blacklisted:
|
||||
These are rarely used and may have unknown vulnerabilities.
|
||||
@ -111,7 +119,7 @@ Description: enhances misc security settings
|
||||
.
|
||||
* `su` is restricted to only users within the group `sudo` which prevents
|
||||
users from using `su` to gain root access or to switch user accounts.
|
||||
/usr/share/pam-configs/security-misc
|
||||
/usr/share/pam-configs/wheel-security-misc
|
||||
(Which results in a change in file `/etc/pam.d/common-auth`.)
|
||||
.
|
||||
* Add user `root` to group `sudo`. This is required to make above work so
|
||||
@ -119,33 +127,49 @@ Description: enhances misc security settings
|
||||
debian/security-misc.postinst
|
||||
.
|
||||
* Lock user accounts after 5 failed login attempts using pam_tally2.
|
||||
/usr/share/pam-configs/security-misc
|
||||
/usr/share/pam-configs/tally2-security-misc
|
||||
.
|
||||
* Logging into the root account from a virtual, serial, whatnot console is
|
||||
prevented by shipping an existing and empty /etc/securetty.
|
||||
(Deletion of /etc/securetty has a different effect.)
|
||||
/etc/securetty.security-misc
|
||||
.
|
||||
informational output during PAM:
|
||||
.
|
||||
* Show failed and remaining password attempts.
|
||||
* Document unlock procedure if Linux user account got locked.
|
||||
* Point out, that there is no password feedback for `su`.
|
||||
* Explain locked (root) account if locked.
|
||||
* /usr/share/pam-configs/tally2-security-misc
|
||||
* /usr/lib/security-misc/pam_tally2-info
|
||||
.
|
||||
access rights restrictions:
|
||||
.
|
||||
* The default umask is changed to 006. This allows only the owner and group
|
||||
to read and write to newly created files.
|
||||
/etc/login.defs.security-misc
|
||||
/usr/share/pam-configs/usergroups-security-misc
|
||||
.
|
||||
* Enables pam_umask.so usergroups so group permissions are same as user
|
||||
permissions. Debian by default uses User Private Groups (UPG).
|
||||
https://wiki.debian.org/UserPrivateGroups
|
||||
/usr/share/pam-configs/usergroups
|
||||
/usr/share/pam-configs/usergroups-security-misc
|
||||
.
|
||||
* Create home directory on login with umask 006 using
|
||||
pam_mkhomedir.so umask=006
|
||||
/usr/share/pam-configs/mkhomedir-security-misc
|
||||
.
|
||||
* Removes read, write and execute access for others for all users who have
|
||||
home folders under folder /home by running for example
|
||||
"chmod o-rwx /home/user"
|
||||
during package installation or upgrade. This will be done only once per folder
|
||||
in folder /home so users who wish to relax file permissions are free to do so.
|
||||
This is to protect previously created files in user home folder which were
|
||||
previously created with lax file permissions prior installation of this
|
||||
during package installation, upgrade or pam. This will be done only once per
|
||||
folder in folder /home so users who wish to relax file permissions are free to
|
||||
do so. This is to protect previously created files in user home folder which
|
||||
were previously created with lax file permissions prior installation of this
|
||||
package.
|
||||
debian/security-misc.postinst
|
||||
/usr/share/pam-configs/permission-lockdown-security-misc
|
||||
/usr/lib/security-misc/permission-lockdown
|
||||
.
|
||||
access rights relaxations:
|
||||
.
|
||||
|
28
debian/security-misc.postinst
vendored
28
debian/security-misc.postinst
vendored
@ -15,32 +15,6 @@ true "
|
||||
#####################################################################
|
||||
"
|
||||
|
||||
home_folder_access_rights_lockdown() {
|
||||
mkdir -p /var/cache/security-misc/state-files
|
||||
|
||||
shopt -s nullglob
|
||||
|
||||
## Not using dotglob.
|
||||
## touch /var/cache/security-misc/state-files//home/.Trash
|
||||
## touch: cannot touch '/var/cache/security-misc/state-files//home/.Trash': No such file or directory
|
||||
|
||||
local folder_name base_name
|
||||
|
||||
for folder_name in /home/* ; do
|
||||
base_name="$(basename "$folder_name")"
|
||||
if [ -f "/var/cache/security-misc/state-files/$base_name" ]; then
|
||||
continue
|
||||
fi
|
||||
chmod o-rwx "$folder_name"
|
||||
## Create a state-file so we do this only once.
|
||||
## Therefore a user who will manually undo this, will not get
|
||||
## annoyed by this being done over and over again.
|
||||
touch "/var/cache/security-misc/state-files/$base_name"
|
||||
done
|
||||
|
||||
shopt -u nullglob
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
configure)
|
||||
glib-compile-schemas /usr/share/glib-2.0/schemas || true
|
||||
@ -59,7 +33,7 @@ addgroup root sudo
|
||||
|
||||
pam-auth-update --package
|
||||
|
||||
home_folder_access_rights_lockdown
|
||||
/usr/lib/security-misc/permission-lockdown
|
||||
|
||||
true "INFO: debhelper beginning here."
|
||||
|
||||
|
3
etc/default/grub.d/40_only_allow_signed_modules.cfg
Normal file
3
etc/default/grub.d/40_only_allow_signed_modules.cfg
Normal file
@ -0,0 +1,3 @@
|
||||
# Requires every module to be signed before being loaded. Any module that is unsigned or signed with an invalid key cannot be loaded.
|
||||
# This makes it harder to load a malicious module.
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1"
|
5
etc/kernel/postinst.d/30_remove-system-map
Executable file
5
etc/kernel/postinst.d/30_remove-system-map
Executable file
@ -0,0 +1,5 @@
|
||||
#!/bin/bash
|
||||
|
||||
if test -x /usr/lib/security-misc/remove-system.map ; then
|
||||
/usr/lib/security-misc/remove-system.map
|
||||
fi
|
109
usr/lib/security-misc/pam_tally2-info
Executable file
109
usr/lib/security-misc/pam_tally2-info
Executable file
@ -0,0 +1,109 @@
|
||||
#!/bin/bash
|
||||
|
||||
if [ ! -r /var/log/auth.log ]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
pam_tally2_output="$(pam_tally2 --user "$PAM_USER")"
|
||||
|
||||
if [ "$pam_tally2_output" = "" ]; then
|
||||
true "$0: no failed login"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
## Example:
|
||||
#Login Failures Latest failure From
|
||||
#user 0
|
||||
|
||||
pam_tally2_output_last_line="$(echo "$pam_tally2_output" | tail -1)"
|
||||
## Example:
|
||||
#user 0
|
||||
|
||||
arr=($pam_tally2_output_last_line)
|
||||
user_name="${arr[0]}"
|
||||
failed_login_counter="${arr[1]}"
|
||||
|
||||
if [ ! "$PAM_USER" = "$user_name" ]; then
|
||||
echo "$0: ERROR: PAM_USER: $PAM_USER does not equal user_name: '$user_name'." >&2
|
||||
echo "$0: ERROR: Please report this bug." >&2
|
||||
echo "" >&2
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ "$failed_login_counter" = "0" ]; then
|
||||
true "$0: INFO: Failed login counter is 0, ok."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
temp="$(grep pam_tally2 /var/log/auth.log | grep ", deny" | tail -1)"
|
||||
last_line_of_user="$(echo "$temp" | grep "pam_tally2")"
|
||||
last_line_of_user="$(echo "$temp" | grep "): user $PAM_USER")"
|
||||
|
||||
#last_line_of_user="$(grep pam_tally2 /var/log/auth.log | grep "): user $PAM_USER " | tail -1)"
|
||||
## Example:
|
||||
#Aug 15 03:47:50 localhost sudo: pam_tally2(sudo:auth): user user (1000) tally 1, deny 10
|
||||
|
||||
temp="$(echo "$last_line_of_user" | sed 's/.*tally //')"
|
||||
temp="${temp/", deny"/""}"
|
||||
## Example:
|
||||
#1 100
|
||||
|
||||
arr=($temp)
|
||||
tally="${arr[0]}"
|
||||
deny="${arr[1]}"
|
||||
|
||||
if [[ "$tally" == *[!0-9]* ]]; then
|
||||
echo "$0: ERROR: tally is not numeric." >&2
|
||||
echo "$0: ERROR: Please report this bug." >&2
|
||||
echo "" >&2
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [[ "$deny" == *[!0-9]* ]]; then
|
||||
echo "$0: ERROR: deny is not numeric." >&2
|
||||
echo "$0: ERROR: Please report this bug." >&2
|
||||
echo "" >&2
|
||||
exit 0
|
||||
fi
|
||||
|
||||
remaining_attempts="$(( $deny - $tally ))"
|
||||
|
||||
## Thanks to:
|
||||
if [ "$(passwd -S "$PAM_USER" | cut -d ' ' -f 2)" = "P" ]; then
|
||||
true "INFO: Password not locked."
|
||||
else
|
||||
echo "$0: ERROR: Password for user \"$PAM_USER\" is locked." >&2
|
||||
if [ "$PAM_USER" = "root" ]; then
|
||||
echo "$0: ERROR: root account is locked by default. See:" >&2
|
||||
echo "https://www.whonix.org/wiki/root" >&2
|
||||
echo "" >&2
|
||||
fi
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ "$remaining_attempts" -le "0" ]; then
|
||||
echo "$0: ERROR: Login blocked after $tally attempts." >&2
|
||||
echo "$0: To unlock, run the following command as superuser:" >&2
|
||||
echo "$0: (If you still have a sudo/root shell somewhere.)" >&2
|
||||
echo "" >&2
|
||||
echo "pam_tally2 --quiet -r --user $PAM_USER" >&2
|
||||
echo "" >&2
|
||||
echo "$0: However, most likely unlock procedure is required." >&2
|
||||
echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2
|
||||
echo "$0: See also:" >&2
|
||||
echo "https://www.whonix.org/wiki/root#unlock" >&2
|
||||
echo "" >&2
|
||||
exit 0
|
||||
fi
|
||||
|
||||
echo "$0: WARNING: $tally failed login attempts." >&2
|
||||
echo "$0: Login will be blocked after $deny attempts." >&2
|
||||
echo "$0: You have $remaining_attempts more attempts before unlock procedure is required." >&2
|
||||
echo "" >&2
|
||||
|
||||
if [ "$PAM_SERVICE" = "su" ]; then
|
||||
echo "$0: NOTE: Type the password. When entering the password, no password feedback (no asterisk (\"*\") symbol) will be shown." >&2
|
||||
echo "" >&2
|
||||
fi
|
||||
|
||||
exit 0
|
68
usr/lib/security-misc/permission-lockdown
Executable file
68
usr/lib/security-misc/permission-lockdown
Executable file
@ -0,0 +1,68 @@
|
||||
#!/bin/bash
|
||||
|
||||
## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Doing this for all users would create many issues.
|
||||
# /usr/lib/security-misc/permission-lockdown: user: root | chmod o-rwx "/root"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: daemon | chmod o-rwx "/usr/sbin"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: bin | chmod o-rwx "/bin"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: sys | chmod o-rwx "/dev"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: sync | chmod o-rwx "/bin"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: games | chmod o-rwx "/usr/games"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: man | chmod o-rwx "/var/cache/man"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: mail | chmod o-rwx "/var/mail"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: proxy | chmod o-rwx "/bin"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: backup | chmod o-rwx "/var/backups"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: systemd-timesync | chmod o-rwx "/run/systemd"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: systemd-network | chmod o-rwx "/run/systemd/netif"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: messagebus | chmod o-rwx "/var/run/dbus"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: tinyproxy | chmod o-rwx "/run/tinyproxy"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: rtkit | chmod o-rwx "/proc"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: colord | chmod o-rwx "/var/lib/colord"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: Debian-exim | chmod o-rwx "/var/spool/exim4"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: debian-tor | chmod o-rwx "/var/lib/tor"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: stunnel4 | chmod o-rwx "/var/run/stunnel4"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: iodine | chmod o-rwx "/var/run/iodine"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: apt-cacher-ng | chmod o-rwx "/var/cache/apt-cacher-ng"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: statd | chmod o-rwx "/var/lib/nfs"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: timidity | chmod o-rwx "/etc/timidity"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: uuidd | chmod o-rwx "/run/uuidd"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: _rpc | chmod o-rwx "/run/rpcbind"
|
||||
# /usr/lib/security-misc/permission-lockdown: user: geoclue | chmod o-rwx "/var/lib/geoclue"
|
||||
|
||||
home_folder_access_rights_lockdown() {
|
||||
shopt -s nullglob
|
||||
|
||||
## Not using dotglob.
|
||||
## touch /var/cache/security-misc/state-files//home/.Trash
|
||||
## touch: cannot touch '/var/cache/security-misc/state-files//home/.Trash': No such file or directory
|
||||
|
||||
local folder_name base_name
|
||||
|
||||
for folder_name in /home/* ; do
|
||||
base_name="$(basename "$folder_name")"
|
||||
if [ -f "/var/cache/security-misc/state-files/$base_name" ]; then
|
||||
continue
|
||||
fi
|
||||
if [ ! -d "$folder_name" ]; then
|
||||
continue
|
||||
fi
|
||||
if [ "$folder_name" = "/home/" ]; then
|
||||
continue
|
||||
fi
|
||||
mkdir -p /var/cache/security-misc/state-files
|
||||
echo "$0: chmod o-rwx \"$folder_name\""
|
||||
chmod o-rwx "$folder_name"
|
||||
## Create a state-file so we do this only once.
|
||||
## Therefore a user who will manually undo this, will not get
|
||||
## annoyed by this being done over and over again.
|
||||
touch "/var/cache/security-misc/state-files/$base_name"
|
||||
done
|
||||
|
||||
shopt -u nullglob
|
||||
}
|
||||
|
||||
home_folder_access_rights_lockdown
|
||||
|
||||
exit 0
|
@ -9,6 +9,6 @@ shopt -s nullglob
|
||||
for filename in /boot/System.map-*
|
||||
do
|
||||
if [ -f "${filename}" ]; then
|
||||
rm -f "${filename}"
|
||||
rm --verbose --force "${filename}"
|
||||
fi
|
||||
done
|
||||
|
7
usr/share/pam-configs/mkhomedir-security-misc
Normal file
7
usr/share/pam-configs/mkhomedir-security-misc
Normal file
@ -0,0 +1,7 @@
|
||||
Name: Create home directory on login (by package security-misc)
|
||||
Default: yes
|
||||
Priority: 100
|
||||
Session-Type: Additional
|
||||
Session-Interactive-Only: yes
|
||||
Session:
|
||||
optional pam_mkhomedir.so umask=006
|
6
usr/share/pam-configs/permission-lockdown-security-misc
Normal file
6
usr/share/pam-configs/permission-lockdown-security-misc
Normal file
@ -0,0 +1,6 @@
|
||||
Name: prevent users from reading other users /home/user folders (by package security-misc)
|
||||
Default: yes
|
||||
Priority: 50
|
||||
Session-Type: Additional
|
||||
Session:
|
||||
optional pam_exec.so debug stdout seteuid /usr/lib/security-misc/permission-lockdown
|
@ -1,7 +0,0 @@
|
||||
Name: group sudo membership required to use su, lock accounts after 5 failed authentication attempts (by package security-misc)
|
||||
Default: yes
|
||||
Priority: 260
|
||||
Auth-Type: Primary
|
||||
Auth:
|
||||
required pam_wheel.so group=sudo debug
|
||||
required pam_tally2.so deny=5 debug
|
10
usr/share/pam-configs/tally2-security-misc
Normal file
10
usr/share/pam-configs/tally2-security-misc
Normal file
@ -0,0 +1,10 @@
|
||||
Name: lock accounts after 5 failed authentication attempts (by package security-misc)
|
||||
Default: yes
|
||||
Priority: 260
|
||||
Auth-Type: Primary
|
||||
Auth:
|
||||
optional pam_exec.so debug stdout seteuid /usr/lib/security-misc/pam_tally2-info
|
||||
requisite pam_tally2.so even_deny_root deny=100 onerr=fail audit debug
|
||||
Account-Type: Primary
|
||||
Account:
|
||||
requisite pam_tally2.so debug
|
@ -3,4 +3,4 @@ Default: yes
|
||||
Priority: 256
|
||||
Session-Type: Additional
|
||||
Session:
|
||||
optional pam_umask.so usergroups
|
||||
optional pam_umask.so usergroups umask=006
|
6
usr/share/pam-configs/wheel-security-misc
Normal file
6
usr/share/pam-configs/wheel-security-misc
Normal file
@ -0,0 +1,6 @@
|
||||
Name: group sudo membership required to use su (by package security-misc)
|
||||
Default: yes
|
||||
Priority: 270
|
||||
Auth-Type: Primary
|
||||
Auth:
|
||||
requisite pam_wheel.so group=sudo debug
|
Loading…
x
Reference in New Issue
Block a user