mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-10-01 08:25:45 -04:00
Merge remote-tracking branch 'origin/master'
This commit is contained in:
commit
8793708906
10
debian/control
vendored
10
debian/control
vendored
@ -25,6 +25,8 @@ Description: enhances misc security settings
|
|||||||
deactivates Netfilter's connection tracking helper;
|
deactivates Netfilter's connection tracking helper;
|
||||||
implements some kernel hardening;
|
implements some kernel hardening;
|
||||||
prevents DMA attacks;
|
prevents DMA attacks;
|
||||||
|
restricts access to the root account;
|
||||||
|
increases the amount of hashing rounds used by shadow;
|
||||||
.
|
.
|
||||||
TCP time stamps (RFC 1323) allow for tracking clock
|
TCP time stamps (RFC 1323) allow for tracking clock
|
||||||
information with millisecond resolution. This may or may not allow an
|
information with millisecond resolution. This may or may not allow an
|
||||||
@ -118,3 +120,11 @@ Description: enhances misc security settings
|
|||||||
.
|
.
|
||||||
The default umask is changed to 006. This allows only the owner and group to
|
The default umask is changed to 006. This allows only the owner and group to
|
||||||
read and write to newly created files.
|
read and write to newly created files.
|
||||||
|
.
|
||||||
|
Su is restricted to only users within the root group which prevents users from
|
||||||
|
using su to gain root access or switch user accounts.
|
||||||
|
.
|
||||||
|
Logging into the root account from a terminal is prevented.
|
||||||
|
.
|
||||||
|
The amount of hashing rounds used by shadow is bumped to 65536. This increases
|
||||||
|
the security of hashed passwords.
|
||||||
|
33
etc/pam.d/common-password.security-misc
Normal file
33
etc/pam.d/common-password.security-misc
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
#
|
||||||
|
# /etc/pam.d/common-password - password-related modules common to all services
|
||||||
|
#
|
||||||
|
# This file is included from other service-specific PAM config files,
|
||||||
|
# and should contain a list of modules that define the services to be
|
||||||
|
# used to change user passwords. The default is pam_unix.
|
||||||
|
|
||||||
|
# Explanation of pam_unix options:
|
||||||
|
#
|
||||||
|
# The "sha512" option enables salted SHA512 passwords. Without this option,
|
||||||
|
# the default is Unix crypt. Prior releases used the option "md5".
|
||||||
|
#
|
||||||
|
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
|
||||||
|
# login.defs.
|
||||||
|
#
|
||||||
|
# See the pam_unix manpage for other options.
|
||||||
|
|
||||||
|
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
|
||||||
|
# To take advantage of this, it is recommended that you configure any
|
||||||
|
# local modules either before or after the default block, and use
|
||||||
|
# pam-auth-update to manage selection of other modules. See
|
||||||
|
# pam-auth-update(8) for details.
|
||||||
|
|
||||||
|
# here are the per-package modules (the "Primary" block)
|
||||||
|
password [success=1 default=ignore] pam_unix.so obscure sha512 rounds=65536
|
||||||
|
# here's the fallback if no module succeeds
|
||||||
|
password requisite pam_deny.so
|
||||||
|
# prime the stack with a positive return value if there isn't one already;
|
||||||
|
# this avoids us returning an error just because nothing sets a success code
|
||||||
|
# since the modules above will each just jump around
|
||||||
|
password required pam_permit.so
|
||||||
|
# and here are more per-package modules (the "Additional" block)
|
||||||
|
# end of pam-auth-update config
|
61
etc/pam.d/su.security-misc
Normal file
61
etc/pam.d/su.security-misc
Normal file
@ -0,0 +1,61 @@
|
|||||||
|
#
|
||||||
|
# The PAM configuration file for the Shadow `su' service
|
||||||
|
#
|
||||||
|
|
||||||
|
# This allows root to su without passwords (normal operation)
|
||||||
|
auth sufficient pam_rootok.so
|
||||||
|
|
||||||
|
# Uncomment this to force users to be a member of group root
|
||||||
|
# before they can use `su'. You can also add "group=foo"
|
||||||
|
# to the end of this line if you want to use a group other
|
||||||
|
# than the default "root" (but this may have side effect of
|
||||||
|
# denying "root" user, unless she's a member of "foo" or explicitly
|
||||||
|
# permitted earlier by e.g. "sufficient pam_rootok.so").
|
||||||
|
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
|
||||||
|
auth required pam_wheel.so
|
||||||
|
|
||||||
|
# Uncomment this if you want wheel members to be able to
|
||||||
|
# su without a password.
|
||||||
|
# auth sufficient pam_wheel.so trust
|
||||||
|
|
||||||
|
# Uncomment this if you want members of a specific group to not
|
||||||
|
# be allowed to use su at all.
|
||||||
|
# auth required pam_wheel.so deny group=nosu
|
||||||
|
|
||||||
|
# Uncomment and edit /etc/security/time.conf if you need to set
|
||||||
|
# time restrainst on su usage.
|
||||||
|
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
|
||||||
|
# as well as /etc/porttime)
|
||||||
|
# account requisite pam_time.so
|
||||||
|
|
||||||
|
# This module parses environment configuration file(s)
|
||||||
|
# and also allows you to use an extended config
|
||||||
|
# file /etc/security/pam_env.conf.
|
||||||
|
#
|
||||||
|
# parsing /etc/environment needs "readenv=1"
|
||||||
|
session required pam_env.so readenv=1
|
||||||
|
# locale variables are also kept into /etc/default/locale in etch
|
||||||
|
# reading this file *in addition to /etc/environment* does not hurt
|
||||||
|
session required pam_env.so readenv=1 envfile=/etc/default/locale
|
||||||
|
|
||||||
|
# Defines the MAIL environment variable
|
||||||
|
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
|
||||||
|
# in /etc/login.defs to make sure that removing a user
|
||||||
|
# also removes the user's mail spool file.
|
||||||
|
# See comments in /etc/login.defs
|
||||||
|
#
|
||||||
|
# "nopen" stands to avoid reporting new mail when su'ing to another user
|
||||||
|
session optional pam_mail.so nopen
|
||||||
|
|
||||||
|
# Sets up user limits according to /etc/security/limits.conf
|
||||||
|
# (Replaces the use of /etc/limits in old login)
|
||||||
|
session required pam_limits.so
|
||||||
|
|
||||||
|
# The standard Unix authentication modules, used with
|
||||||
|
# NIS (man nsswitch) as well as normal /etc/passwd and
|
||||||
|
# /etc/shadow entries.
|
||||||
|
@include common-auth
|
||||||
|
@include common-account
|
||||||
|
@include common-session
|
||||||
|
|
||||||
|
|
2
etc/securetty.security-misc
Normal file
2
etc/securetty.security-misc
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
# /etc/securetty: list of terminals on which root is allowed to login.
|
||||||
|
# See securetty(5) and login(1).
|
Loading…
Reference in New Issue
Block a user