diff --git a/debian/control b/debian/control index b7198b0..59ba659 100644 --- a/debian/control +++ b/debian/control @@ -25,6 +25,8 @@ Description: enhances misc security settings deactivates Netfilter's connection tracking helper; implements some kernel hardening; prevents DMA attacks; + restricts access to the root account; + increases the amount of hashing rounds used by shadow; . TCP time stamps (RFC 1323) allow for tracking clock information with millisecond resolution. This may or may not allow an @@ -118,3 +120,11 @@ Description: enhances misc security settings . The default umask is changed to 006. This allows only the owner and group to read and write to newly created files. + . + Su is restricted to only users within the root group which prevents users from + using su to gain root access or switch user accounts. + . + Logging into the root account from a terminal is prevented. + . + The amount of hashing rounds used by shadow is bumped to 65536. This increases + the security of hashed passwords. diff --git a/etc/pam.d/common-password.security-misc b/etc/pam.d/common-password.security-misc new file mode 100644 index 0000000..2ad0af8 --- /dev/null +++ b/etc/pam.d/common-password.security-misc @@ -0,0 +1,33 @@ +# +# /etc/pam.d/common-password - password-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define the services to be +# used to change user passwords. The default is pam_unix. + +# Explanation of pam_unix options: +# +# The "sha512" option enables salted SHA512 passwords. Without this option, +# the default is Unix crypt. Prior releases used the option "md5". +# +# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in +# login.defs. +# +# See the pam_unix manpage for other options. + +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +password [success=1 default=ignore] pam_unix.so obscure sha512 rounds=65536 +# here's the fallback if no module succeeds +password requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +password required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/etc/pam.d/su.security-misc b/etc/pam.d/su.security-misc new file mode 100644 index 0000000..6e3c5ea --- /dev/null +++ b/etc/pam.d/su.security-misc @@ -0,0 +1,61 @@ +# +# The PAM configuration file for the Shadow `su' service +# + +# This allows root to su without passwords (normal operation) +auth sufficient pam_rootok.so + +# Uncomment this to force users to be a member of group root +# before they can use `su'. You can also add "group=foo" +# to the end of this line if you want to use a group other +# than the default "root" (but this may have side effect of +# denying "root" user, unless she's a member of "foo" or explicitly +# permitted earlier by e.g. "sufficient pam_rootok.so"). +# (Replaces the `SU_WHEEL_ONLY' option from login.defs) +auth required pam_wheel.so + +# Uncomment this if you want wheel members to be able to +# su without a password. +# auth sufficient pam_wheel.so trust + +# Uncomment this if you want members of a specific group to not +# be allowed to use su at all. +# auth required pam_wheel.so deny group=nosu + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on su usage. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +# +# "nopen" stands to avoid reporting new mail when su'ing to another user +session optional pam_mail.so nopen + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# The standard Unix authentication modules, used with +# NIS (man nsswitch) as well as normal /etc/passwd and +# /etc/shadow entries. +@include common-auth +@include common-account +@include common-session + + diff --git a/etc/securetty.security-misc b/etc/securetty.security-misc new file mode 100644 index 0000000..ca0d81b --- /dev/null +++ b/etc/securetty.security-misc @@ -0,0 +1,2 @@ +# /etc/securetty: list of terminals on which root is allowed to login. +# See securetty(5) and login(1).