Merge remote-tracking branch 'origin/master'

This commit is contained in:
Patrick Schleizer 2019-07-09 03:23:26 -04:00
commit 8793708906
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
4 changed files with 106 additions and 0 deletions

10
debian/control vendored
View File

@ -25,6 +25,8 @@ Description: enhances misc security settings
deactivates Netfilter's connection tracking helper; deactivates Netfilter's connection tracking helper;
implements some kernel hardening; implements some kernel hardening;
prevents DMA attacks; prevents DMA attacks;
restricts access to the root account;
increases the amount of hashing rounds used by shadow;
. .
TCP time stamps (RFC 1323) allow for tracking clock TCP time stamps (RFC 1323) allow for tracking clock
information with millisecond resolution. This may or may not allow an information with millisecond resolution. This may or may not allow an
@ -118,3 +120,11 @@ Description: enhances misc security settings
. .
The default umask is changed to 006. This allows only the owner and group to The default umask is changed to 006. This allows only the owner and group to
read and write to newly created files. read and write to newly created files.
.
Su is restricted to only users within the root group which prevents users from
using su to gain root access or switch user accounts.
.
Logging into the root account from a terminal is prevented.
.
The amount of hashing rounds used by shadow is bumped to 65536. This increases
the security of hashed passwords.

View File

@ -0,0 +1,33 @@
#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords. The default is pam_unix.
# Explanation of pam_unix options:
#
# The "sha512" option enables salted SHA512 passwords. Without this option,
# the default is Unix crypt. Prior releases used the option "md5".
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs.
#
# See the pam_unix manpage for other options.
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
password [success=1 default=ignore] pam_unix.so obscure sha512 rounds=65536
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

View File

@ -0,0 +1,61 @@
#
# The PAM configuration file for the Shadow `su' service
#
# This allows root to su without passwords (normal operation)
auth sufficient pam_rootok.so
# Uncomment this to force users to be a member of group root
# before they can use `su'. You can also add "group=foo"
# to the end of this line if you want to use a group other
# than the default "root" (but this may have side effect of
# denying "root" user, unless she's a member of "foo" or explicitly
# permitted earlier by e.g. "sufficient pam_rootok.so").
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
auth required pam_wheel.so
# Uncomment this if you want wheel members to be able to
# su without a password.
# auth sufficient pam_wheel.so trust
# Uncomment this if you want members of a specific group to not
# be allowed to use su at all.
# auth required pam_wheel.so deny group=nosu
# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on su usage.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account requisite pam_time.so
# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
#
# parsing /etc/environment needs "readenv=1"
session required pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session required pam_env.so readenv=1 envfile=/etc/default/locale
# Defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user
# also removes the user's mail spool file.
# See comments in /etc/login.defs
#
# "nopen" stands to avoid reporting new mail when su'ing to another user
session optional pam_mail.so nopen
# Sets up user limits according to /etc/security/limits.conf
# (Replaces the use of /etc/limits in old login)
session required pam_limits.so
# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
@include common-auth
@include common-account
@include common-session

View File

@ -0,0 +1,2 @@
# /etc/securetty: list of terminals on which root is allowed to login.
# See securetty(5) and login(1).