Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity
1,452 Commits 2 Branches 291 Tags 8.2 MiB
053142cdb5
Commit Graph

49 Commits

Author SHA1 Message Date
Patrick Schleizer
be8c10496f
fix faillock implementation 
dovecot / ssh are exempted
 2021-09-01 15:55:53 -04:00
Patrick Schleizer
582492d6d8
port from pam_tally2 to pam_faillock 
since pam_tally2 was deprecated upstream
 2021-08-10 17:13:00 -04:00
Patrick Schleizer
2bf0e7471c
port from pam_tally2 to pam_faillock 
since pam_tally2 was deprecated upstream
 2021-08-10 15:11:01 -04:00
Patrick Schleizer
2aea74bd71
renamed: usr/libexec/security-misc/pam_tally2-info -> usr/libexec/security-misc/pam-info 
renamed:    usr/libexec/security-misc/pam_tally2_not_if_x -> usr/libexec/security-misc/pam_faillock_not_if_x
renamed:    usr/share/pam-configs/tally2-security-misc -> usr/share/pam-configs/faillock-security-misc
 2021-08-10 15:06:04 -04:00
Patrick Schleizer
50bdd097df
move /usr/lib/security-misc to /usr/libexec/security-misc as per lintian FHS 2021-08-03 12:56:31 -04:00
Patrick Schleizer
9622f28e25
skip counting failed login attempts from dovecot 
Failed dovecot logins should not result in account getting locked.

revert "use pam_tally2 only for login"
 2021-01-27 05:49:34 -05:00
Patrick Schleizer
6757104aa4
use pam_tally2 only for login 
to skip counting failed login attempts over ssh and mail login
 2021-01-24 05:04:48 -05:00
Patrick Schleizer
300f010fc2
increase priority of pam-abort-on-locked-password-security-misc 
since it has its own user help output

so it shows before pam tally2 info

to avoid duplicate non-applicable help text
 2019-12-12 09:29:00 -05:00
Patrick Schleizer
729fa26eca
use pam_acccess only for /etc/pam.d/login 
remove "Allow members of group 'ssh' to login."
remove "+:ssh:ALL EXCEPT LOCAL"
 2019-12-12 09:00:08 -05:00
Patrick Schleizer
c192644ee3
security-misc /usr/share/pam-configs/permission-lockdown-security-misc is no longer required, removed. 
Thereby fix apparmor issue.

> Dec 08 09:47:50 host audit[3232]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=3232 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
> Dec 08 09:47:50 host sudo[3232]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied

It is no longer required, because...

existing linux user accounts:

* Get permission lock down because security-misc `debian/security-misc.postinst` calls `/usr/lib/security-misc/permission-lockdown`.

new linux user accounts (created at first boot):

* security-misc `/usr/share/pam-configs/mkhomedir-security-misc` pam mkhomedir sets secure permissions using `umask=027`.
 2019-12-08 05:21:35 -05:00
Patrick Schleizer
c7c65fe4e7
higher priority usr/share/pam-configs/tally2-security-misc 
so it can give info before pam stack gets aborted by other pam modules
 2019-12-08 03:15:53 -05:00
Patrick Schleizer
19cc6d7555
pam description 2019-12-08 02:10:43 -05:00
Patrick Schleizer
b871421a54
usr/share/pam-configs/console-lockdown -> usr/share/pam-configs/console-lockdown-security-misc 2019-12-08 01:57:43 -05:00
Patrick Schleizer
6479c883bf
Console Lockdown. 
Allow members of group 'console' to use tty1 to tty7. Everyone else except
members of group 'console-unrestricted' are restricted from using console
using ancient, unpopular login methods such as using /bin/login over networks,
which might be exploitable. (CVE-2001-0797)

Not enabled by default in this package since this package does not know which
users shall be added to group 'console'.

In new Whonix builds, user 'user" will be added to group 'console' and
pam console-lockdown enabled by package anon-base-files.

/usr/share/pam-configs/console-lockdown

/etc/security/access-security-misc.conf

https://forums.whonix.org/t/etc-security-hardening/8592
 2019-12-07 05:40:20 -05:00
Patrick Schleizer
aa5451c8cd
Lock user accounts after 50 rather than 100 failed login attempts. 
https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/19
 2019-11-25 01:39:53 -05:00
Patrick Schleizer
03e8023847
output 2019-11-22 14:11:30 -05:00
Patrick Schleizer
0ae5c5ff14
remove umask changes since these are causing issues are are not needed anymore 
thanks to home folder permission lockdown

https://forums.whonix.org/t/change-default-umask/7416/45
 2019-08-24 12:14:22 -04:00
Patrick Schleizer
41b2819ec8
PAM: abort on locked password 
to avoid needlessly bumping pam_tally2 counter

https://forums.whonix.org/t/restrict-root-access/7658/1
 2019-08-17 10:33:47 +00:00
Patrick Schleizer
ed90d8b025
change default umask to 027 
as per:

https://forums.whonix.org/t/change-default-umask/7416/47
 2019-08-17 09:55:20 +00:00
Patrick Schleizer
ff9bc1d7ea
informational output during PAM: 
* Show failed and remaining password attempts.
* Document unlock procedure if Linux user account got locked.
* Point out, that there is no password feedback for `su`.
* Explain locked (root) account if locked.
* /usr/share/pam-configs/tally2-security-misc
* /usr/lib/security-misc/pam_tally2-info
 2019-08-15 13:37:28 +00:00
Patrick Schleizer
454e135822
pam_tally2.so even_deny_root 2019-08-15 07:33:41 +00:00
Patrick Schleizer
63b476221c
use requisite rather than required to avoid asking for password needlessly 
if login will fail anyhow
 2019-08-15 07:30:56 +00:00
Patrick Schleizer
8fdc77fed5
output to stdout 2019-08-14 10:33:23 +00:00
Patrick Schleizer
15094cab4f
avoid ' character in usr/share/pam-configs; in description 2019-08-14 09:36:30 +00:00
Patrick Schleizer
97d1945e61
no log needed, informative output to stdout instead 2019-08-14 09:32:58 +00:00
Patrick Schleizer
a085d46c56
change priories so "pam_umask.so usergroups umask=006" runs before pam_exec.so /usr/lib/security-misc/permission-lockdown 2019-08-14 09:31:58 +00:00
Patrick Schleizer
ce06fdf911
formatting 2019-08-14 05:15:53 -04:00
Patrick Schleizer
21489111d1
run permission lockdown during pam 
https://forums.whonix.org/t/change-default-umask/7416
 2019-08-14 08:34:03 +00:00
Patrick Schleizer
52df8dc014
optional pam_umask.so usergroups umask=006 2019-08-14 07:37:21 +00:00
Patrick Schleizer
2f37a66fd0
description 2019-08-11 10:31:29 +00:00
Patrick Schleizer
e83ec79a25
enable usr/share/pam-configs/mkhomedir-security-misc by default 2019-08-11 10:30:51 +00:00
Patrick Schleizer
1eb806a03e
pam_mkhomedir.so umask=006 2019-08-11 10:29:49 +00:00
Patrick Schleizer
c50eb3c9b0
add usr/share/pam-configs/mkhomedir-security-misc based on 
/usr/share/pam-configs/mkhomedir
 2019-08-11 10:28:55 +00:00
Patrick Schleizer
a2fa18c381
pam_tally2.so deny=100 
during testing, due to issues

d17e25272b

https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/12
 2019-08-10 07:07:28 -04:00
Patrick Schleizer
d17e25272b
effectively (not directly) add "required pam_tally2.so debug" to /etc/pam.d/common-account 
This is required because otherwise something like "sudo bash" would count as a
failed login for pam_tally2 even though it was successful.

https://bugzilla.redhat.com/show_bug.cgi?id=707660

https://forums.whonix.org/t/restrict-root-access/7658
 2019-08-10 06:06:39 -04:00
Patrick Schleizer
0f896a9d8d
add onerr=fail audit to pam_tally2 2019-08-10 06:05:37 -04:00
Patrick Schleizer
e076470f68
renamed: usr/share/pam-configs/usergroups -> usr/share/pam-configs/usergroups-security-misc 2019-08-01 11:04:58 +00:00
Patrick Schleizer
830111e99a
split usr/share/pam-configs/security-misc 
into
usr/share/pam-configs/tally2-security-misc
usr/share/pam-configs/wheel-security-misc
 2019-08-01 11:04:22 +00:00
Patrick Schleizer
89d32402b2
fix, do not use "," inside /usr/share/pam-configs files 2019-07-31 14:52:29 -04:00
Patrick Schleizer
cf90668756
lock user accounts after 5 failed authentication attempts using pam_tally2 2019-07-31 03:25:02 -04:00
Patrick Schleizer
3e29761560
debug at the end 2019-07-31 03:17:06 -04:00
Patrick Schleizer
5cdb3edb32
usr/share/pam-configs/wheel -> usr/share/pam-configs/security-misc 2019-07-31 03:16:41 -04:00
Patrick Schleizer
3f9437f1ec
Revert "set back to default group "root" rather than group "sudo" membership required to use su" 
This reverts commit 2f276cdb10.
 2019-07-17 14:25:19 -04:00
Patrick Schleizer
2f276cdb10
set back to default group "root" rather than group "sudo" membership required to use su 
since root login will be locked by default anyhow

Thanks to @madaidan for providing the rationale!

https://forums.whonix.org/t/restrict-root-access/7658/42
 2019-07-15 08:44:28 -04:00
Patrick Schleizer
6d1e8ac9a4
description 2019-07-14 11:16:49 +00:00
Patrick Schleizer
ffb61f43ea
fix, add 'group=sudo' and 'debug' for debugging 
https://forums.whonix.org/t/restrict-root-access/7658
 2019-07-14 11:11:59 +00:00
Patrick Schleizer
e9eb38b5db
formatting 2019-07-13 15:04:09 +00:00
Patrick Schleizer
cb668459e8
port umask from /etc/pam.d to /usr/share/pam-configs implementation 
https://forums.whonix.org/t/change-default-umask/7416
 2019-07-13 10:35:10 -04:00
Patrick Schleizer
69b97981f3
convert etc/pam.d/su.security-misc to usr/share/pam-configs/wheel 
https://forums.whonix.org/t/restrict-root-access/7658/32
 2019-07-13 12:33:51 +00:00