From 38099a2a5d830a522fd51b9d9953ae47a14c5289 Mon Sep 17 00:00:00 2001
From: madaidan <50278627+madaidan@users.noreply.github.com>
Date: Mon, 8 Jul 2019 23:11:17 +0000
Subject: [PATCH 1/6] Create su.security-misc

---
 etc/pam.d/su.security-misc | 61 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)
 create mode 100644 etc/pam.d/su.security-misc

diff --git a/etc/pam.d/su.security-misc b/etc/pam.d/su.security-misc
new file mode 100644
index 0000000..d5c6903
--- /dev/null
+++ b/etc/pam.d/su.security-misc
@@ -0,0 +1,61 @@
+#
+# The PAM configuration file for the Shadow `su' service
+#
+
+# This allows root to su without passwords (normal operation)
+auth       sufficient pam_rootok.so
+
+# Uncomment this to force users to be a member of group root
+# before they can use `su'. You can also add "group=foo"
+# to the end of this line if you want to use a group other
+# than the default "root" (but this may have side effect of
+# denying "root" user, unless she's a member of "foo" or explicitly
+# permitted earlier by e.g. "sufficient pam_rootok.so").
+# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
+# auth       required   pam_wheel.so
+
+# Uncomment this if you want wheel members to be able to
+# su without a password.
+# auth       sufficient pam_wheel.so trust
+
+# Uncomment this if you want members of a specific group to not
+# be allowed to use su at all.
+# auth       required   pam_wheel.so deny group=nosu
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restrainst on su usage.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account    requisite  pam_time.so
+
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+# 
+# parsing /etc/environment needs "readenv=1"
+session       required   pam_env.so readenv=1
+# locale variables are also kept into /etc/default/locale in etch
+# reading this file *in addition to /etc/environment* does not hurt
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+
+# Defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user 
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+#
+# "nopen" stands to avoid reporting new mail when su'ing to another user
+session    optional   pam_mail.so nopen
+
+# Sets up user limits according to /etc/security/limits.conf
+# (Replaces the use of /etc/limits in old login)
+session    required   pam_limits.so
+
+# The standard Unix authentication modules, used with
+# NIS (man nsswitch) as well as normal /etc/passwd and
+# /etc/shadow entries.
+@include common-auth
+@include common-account
+@include common-session
+
+

From 890298a3c882000a8351186521e9c1852dec298a Mon Sep 17 00:00:00 2001
From: madaidan <50278627+madaidan@users.noreply.github.com>
Date: Mon, 8 Jul 2019 23:15:56 +0000
Subject: [PATCH 2/6] Restrict su to users in the root group

---
 etc/pam.d/su.security-misc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/etc/pam.d/su.security-misc b/etc/pam.d/su.security-misc
index d5c6903..6e3c5ea 100644
--- a/etc/pam.d/su.security-misc
+++ b/etc/pam.d/su.security-misc
@@ -12,7 +12,7 @@ auth       sufficient pam_rootok.so
 # denying "root" user, unless she's a member of "foo" or explicitly
 # permitted earlier by e.g. "sufficient pam_rootok.so").
 # (Replaces the `SU_WHEEL_ONLY' option from login.defs)
-# auth       required   pam_wheel.so
+auth       required   pam_wheel.so
 
 # Uncomment this if you want wheel members to be able to
 # su without a password.

From 8ad9a54b094a4a15ef726f513e38c953cc247b80 Mon Sep 17 00:00:00 2001
From: madaidan <50278627+madaidan@users.noreply.github.com>
Date: Mon, 8 Jul 2019 23:17:17 +0000
Subject: [PATCH 3/6] Don't allow root login from a terminal

---
 etc/securetty.security-misc | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 etc/securetty.security-misc

diff --git a/etc/securetty.security-misc b/etc/securetty.security-misc
new file mode 100644
index 0000000..ca0d81b
--- /dev/null
+++ b/etc/securetty.security-misc
@@ -0,0 +1,2 @@
+# /etc/securetty: list of terminals on which root is allowed to login.
+# See securetty(5) and login(1).

From 86117d957763a4dd07fb9a84c07a2934a02d32f8 Mon Sep 17 00:00:00 2001
From: madaidan <50278627+madaidan@users.noreply.github.com>
Date: Mon, 8 Jul 2019 23:19:19 +0000
Subject: [PATCH 4/6] Create common-password.security-misc

---
 etc/pam.d/common-password.security-misc | 33 +++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 etc/pam.d/common-password.security-misc

diff --git a/etc/pam.d/common-password.security-misc b/etc/pam.d/common-password.security-misc
new file mode 100644
index 0000000..cb8c7b7
--- /dev/null
+++ b/etc/pam.d/common-password.security-misc
@@ -0,0 +1,33 @@
+#
+# /etc/pam.d/common-password - password-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define the services to be
+# used to change user passwords.  The default is pam_unix.
+
+# Explanation of pam_unix options:
+#
+# The "sha512" option enables salted SHA512 passwords.  Without this option,
+# the default is Unix crypt.  Prior releases used the option "md5".
+#
+# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
+# login.defs.
+#
+# See the pam_unix manpage for other options.
+
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+password	[success=1 default=ignore]	pam_unix.so obscure sha512
+# here's the fallback if no module succeeds
+password	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+password	required			pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+# end of pam-auth-update config

From 24d9eadcb267b34ce31981d841e58d4e2c769793 Mon Sep 17 00:00:00 2001
From: madaidan <50278627+madaidan@users.noreply.github.com>
Date: Mon, 8 Jul 2019 23:19:59 +0000
Subject: [PATCH 5/6] Use 65536 hashing rounds

---
 etc/pam.d/common-password.security-misc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/etc/pam.d/common-password.security-misc b/etc/pam.d/common-password.security-misc
index cb8c7b7..2ad0af8 100644
--- a/etc/pam.d/common-password.security-misc
+++ b/etc/pam.d/common-password.security-misc
@@ -22,7 +22,7 @@
 # pam-auth-update(8) for details.
 
 # here are the per-package modules (the "Primary" block)
-password	[success=1 default=ignore]	pam_unix.so obscure sha512
+password	[success=1 default=ignore]	pam_unix.so obscure sha512 rounds=65536
 # here's the fallback if no module succeeds
 password	requisite			pam_deny.so
 # prime the stack with a positive return value if there isn't one already;

From 24b326d906375bb543b936936519231f51154dcd Mon Sep 17 00:00:00 2001
From: madaidan <50278627+madaidan@users.noreply.github.com>
Date: Mon, 8 Jul 2019 23:24:41 +0000
Subject: [PATCH 6/6] Update control

---
 debian/control | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/debian/control b/debian/control
index b7198b0..59ba659 100644
--- a/debian/control
+++ b/debian/control
@@ -25,6 +25,8 @@ Description: enhances misc security settings
  deactivates Netfilter's connection tracking helper;
  implements some kernel hardening;
  prevents DMA attacks;
+ restricts access to the root account;
+ increases the amount of hashing rounds used by shadow;
  .
  TCP time stamps (RFC 1323) allow for tracking clock
  information with millisecond resolution. This may or may not allow an
@@ -118,3 +120,11 @@ Description: enhances misc security settings
  .
  The default umask is changed to 006. This allows only the owner and group to
  read and write to newly created files.
+ .
+ Su is restricted to only users within the root group which prevents users from
+ using su to gain root access or switch user accounts.
+ .
+ Logging into the root account from a terminal is prevented.
+ .
+ The amount of hashing rounds used by shadow is bumped to 65536. This increases
+ the security of hashed passwords.