security-misc

mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00

Author	SHA1	Message	Date
Patrick Schleizer	528c5fc4c4	Merge branch 'master' into sysctl-initramfs	2020-01-15 11:02:03 +00:00
Patrick Schleizer	1059ccf225	bumped changelog version	2020-01-14 09:28:28 -05:00
Patrick Schleizer	660837dc38	fix case when user "user" does not exists	2020-01-14 09:25:32 -05:00
Patrick Schleizer	18c726c3ee	comment	2020-01-14 09:23:02 -05:00
Patrick Schleizer	b8652681e7	fix legacy	2020-01-14 09:21:47 -05:00
Patrick Schleizer	cc21f912a3	bumped changelog version	2020-01-14 09:20:36 -05:00
madaidan	0953bbe1d7	Update control	2020-01-13 21:05:35 +00:00
madaidan	9dc43eae38	Description	2020-01-12 21:42:07 +00:00
Patrick Schleizer	8341242abc	bumped changelog version	2020-01-11 15:19:29 -05:00
Patrick Schleizer	61a2d390a7	lintian	2020-01-11 15:15:12 -05:00
madaidan	6088444c37	Update control	2020-01-11 18:38:17 +00:00
Patrick Schleizer	13a1e1321e	bumped changelog version	2020-01-01 05:59:59 -05:00
Patrick Schleizer	b2bdeb9095	bumped changelog version	2019-12-31 06:08:32 -05:00
Patrick Schleizer	2a3aae62b1	fix	2019-12-31 06:06:52 -05:00
Patrick Schleizer	427deec3f5	bumped changelog version	2019-12-31 06:03:48 -05:00
Patrick Schleizer	e89552c984	add user "user" to group "console" in Whonix and Kicksecure enable Console Lockdown in Whonix and Kicksecure	2019-12-31 05:55:44 -05:00
Patrick Schleizer	b5a2d1dc58	bumped changelog version	2019-12-31 02:54:58 -05:00
Patrick Schleizer	06ed728d79	bumped changelog version	2019-12-30 06:42:14 -05:00
Patrick Schleizer	e4e9c4e3b0	bumped changelog version	2019-12-30 05:59:43 -05:00
Patrick Schleizer	d7f58db52c	bumped changelog version	2019-12-27 05:30:12 -05:00
Patrick Schleizer	507a30d6e3	bumped changelog version	2019-12-24 18:35:49 -05:00
Patrick Schleizer	0326cd5ee9	bumped changelog version	2019-12-24 08:07:55 -05:00
Patrick Schleizer	7a80837b4f	bumped changelog version	2019-12-23 08:48:04 -05:00
Patrick Schleizer	bef41a38c2	bumped changelog version	2019-12-23 03:58:00 -05:00
Patrick Schleizer	9ec5b0ee82	description: lockdown not enabled yet	2019-12-23 03:38:49 -05:00
Patrick Schleizer	1ff51ee061	merge	2019-12-23 03:37:28 -05:00
Patrick Schleizer	42ff53e9ad	bumped changelog version	2019-12-23 02:42:07 -05:00
Patrick Schleizer	175d1c2845	bumped changelog version	2019-12-23 02:13:13 -05:00
Patrick Schleizer	3670fcf48b	depend on libcap2-bin for setcap / getcap / capsh	2019-12-23 00:49:33 -05:00
Patrick Schleizer	bce02ffdc0	Merge pull request #47 from madaidan/msr Blacklist CPU MSRs	2019-12-22 15:26:07 +00:00
madaidan	8f11a520f4	Update control	2019-12-22 13:54:16 +00:00
Patrick Schleizer	008ce4817c	bumped changelog version	2019-12-21 14:55:03 -05:00
Patrick Schleizer	1213415ce6	bumped changelog version	2019-12-21 14:23:35 -05:00
Patrick Schleizer	1c99b56c9b	bumped changelog version	2019-12-21 07:49:55 -05:00
Patrick Schleizer	b74e5ca972	comment	2019-12-21 07:47:00 -05:00
Patrick Schleizer	0c4db8c2b0	bumped changelog version	2019-12-21 07:38:25 -05:00
Patrick Schleizer	af8b04b73d	rm_conffile /etc/apparmor.d/usr.lib.security-misc.pam_tally2-info rm_conffile /etc/apparmor.d/usr.lib.security-misc.permission-lockdown https://github.com/Whonix/security-misc/pull/45	2019-12-21 06:58:01 -05:00
Patrick Schleizer	fac17a963d	bumped changelog version	2019-12-21 06:28:19 -05:00
Patrick Schleizer	78d33d8b57	bumped changelog version	2019-12-21 06:12:20 -05:00
Patrick Schleizer	ff48b672a8	bumped changelog version	2019-12-21 06:00:17 -05:00
Patrick Schleizer	65b5adb2d7	bumped changelog version	2019-12-21 05:38:39 -05:00
Patrick Schleizer	2b5a49a61b	bumped changelog version	2019-12-21 05:31:55 -05:00
Patrick Schleizer	ed20980f4c	refactoring	2019-12-21 05:07:10 -05:00
Patrick Schleizer	89be5f2ecb	bumped changelog version	2019-12-21 02:05:39 -05:00
Patrick Schleizer	1cd5fb6a00	bumped changelog version	2019-12-20 11:50:25 -05:00
Patrick Schleizer	28d12c3966	bumped changelog version	2019-12-20 11:09:22 -05:00
Patrick Schleizer	c0ddb76d74	bumped changelog version	2019-12-20 10:50:51 -05:00
Patrick Schleizer	089c40135f	bumped changelog version	2019-12-20 08:15:00 -05:00
Patrick Schleizer	ddc0eec63d	bumped changelog version	2019-12-20 07:12:36 -05:00
Patrick Schleizer	8e112c3423	description	2019-12-20 06:53:24 -05:00
Patrick Schleizer	24ea70384b	description	2019-12-20 06:53:03 -05:00
Patrick Schleizer	6dd6530fa5	remove hardening-enable please invent package security-paranoid instead https://forums.whonix.org/t/security-hardening-tool-usr-bin-hardening-enable-by-security-misc/8609	2019-12-20 05:32:26 -05:00
Patrick Schleizer	62eb462920	skip console_users_check for Qubes users	2019-12-16 06:46:48 -05:00
Patrick Schleizer	ab68182e11	bumped changelog version	2019-12-16 06:27:51 -05:00
Patrick Schleizer	2c4170e6f3	description	2019-12-12 09:47:58 -05:00
Patrick Schleizer	2d5ef378f3	description	2019-12-12 09:39:39 -05:00
Patrick Schleizer	a10597de92	bumped changelog version	2019-12-12 09:04:15 -05:00
Patrick Schleizer	729fa26eca	use pam_acccess only for /etc/pam.d/login remove "Allow members of group 'ssh' to login." remove "+:ssh:ALL EXCEPT LOCAL"	2019-12-12 09:00:08 -05:00
Patrick Schleizer	22b6480bc4	bumped changelog version	2019-12-10 11:44:02 -05:00
Patrick Schleizer	88bea2a6ef	comment	2019-12-10 03:53:10 -05:00
Patrick Schleizer	7d8001ddc9	refactoring	2019-12-10 03:51:39 -05:00
Patrick Schleizer	d2f6ac0491	fix, do user/group modifications in preinst rather than postinst	2019-12-10 03:50:23 -05:00
Patrick Schleizer	64ae53edb9	bumped changelog version	2019-12-09 08:25:30 -05:00
Patrick Schleizer	6f944234a9	bumped changelog version	2019-12-08 05:26:29 -05:00
Patrick Schleizer	c192644ee3	security-misc `/usr/share/pam-configs/permission-lockdown-security-misc` is no longer required, removed. Thereby fix apparmor issue. > Dec 08 09:47:50 host audit[3232]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=3232 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 > Dec 08 09:47:50 host sudo[3232]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied It is no longer required, because... existing linux user accounts: * Get permission lock down because security-misc `debian/security-misc.postinst` calls `/usr/lib/security-misc/permission-lockdown`. new linux user accounts (created at first boot): * security-misc `/usr/share/pam-configs/mkhomedir-security-misc` pam mkhomedir sets secure permissions using `umask=027`.	2019-12-08 05:21:35 -05:00
Patrick Schleizer	edcc2de71d	bumped changelog version	2019-12-08 04:38:33 -05:00
Patrick Schleizer	17d81d0083	bumped changelog version	2019-12-08 04:27:01 -05:00
Patrick Schleizer	ebae9eef38	skip sudo_users_check in Qubes Qubes users can use dom0 to get a root terminal emulator. For example: qvm-run -u root debian-10 xterm	2019-12-08 04:25:19 -05:00
Patrick Schleizer	53e4717c62	bumped changelog version	2019-12-08 04:05:29 -05:00
Patrick Schleizer	a345a0fb64	abort installation if ssh.service is enabled but no user is member of group ssh	2019-12-08 03:27:12 -05:00
Patrick Schleizer	cea598dc1a	refactoring	2019-12-08 02:43:05 -05:00
Patrick Schleizer	54f5e02c21	comment	2019-12-08 02:42:30 -05:00
Patrick Schleizer	b4265195f4	refactoring	2019-12-08 02:41:36 -05:00
Patrick Schleizer	0f65b2e85c	abort installation if no user is a member of group "console"; output https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/7	2019-12-08 02:38:19 -05:00
Patrick Schleizer	1dbca1ea2d	add usr/bin/hardening-enable	2019-12-08 02:27:09 -05:00
Patrick Schleizer	24423b42f0	description	2019-12-08 02:03:05 -05:00
Patrick Schleizer	6b01e5be14	comment	2019-12-08 02:01:22 -05:00
Patrick Schleizer	66bebefc9f	description	2019-12-08 02:00:23 -05:00
Patrick Schleizer	52e0f104cc	comment	2019-12-08 01:59:55 -05:00
Patrick Schleizer	731d486fa0	refactoring	2019-12-08 01:58:58 -05:00
Patrick Schleizer	221a2df2a2	refactoring	2019-12-08 01:58:37 -05:00
Patrick Schleizer	b871421a54	usr/share/pam-configs/console-lockdown -> usr/share/pam-configs/console-lockdown-security-misc	2019-12-08 01:57:43 -05:00
Patrick Schleizer	d36669596f	comment	2019-12-08 01:56:30 -05:00
Patrick Schleizer	1a0f353708	comment	2019-12-08 01:47:40 -05:00
Patrick Schleizer	eed1f0a462	comment	2019-12-08 01:46:32 -05:00
Patrick Schleizer	2491b62393	refactoring, add all groups first before adding any users to any groups	2019-12-08 01:43:45 -05:00
Patrick Schleizer	1464f01d19	description	2019-12-08 01:30:42 -05:00
Patrick Schleizer	c1800b13fe	separate group "ssh" for incoming ssh console permission Thanks to @madaidan https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/16	2019-12-07 11:26:39 -05:00
Patrick Schleizer	55225aa30e	description	2019-12-07 07:16:07 -05:00
Patrick Schleizer	34a2bc16c8	description	2019-12-07 07:15:58 -05:00
Patrick Schleizer	d823f06c78	description	2019-12-07 07:13:42 -05:00
Patrick Schleizer	090ddbe96a	description	2019-12-07 06:00:41 -05:00
Patrick Schleizer	6479c883bf	Console Lockdown. Allow members of group 'console' to use tty1 to tty7. Everyone else except members of group 'console-unrestricted' are restricted from using console using ancient, unpopular login methods such as using /bin/login over networks, which might be exploitable. (CVE-2001-0797) Not enabled by default in this package since this package does not know which users shall be added to group 'console'. In new Whonix builds, user 'user" will be added to group 'console' and pam console-lockdown enabled by package anon-base-files. /usr/share/pam-configs/console-lockdown /etc/security/access-security-misc.conf https://forums.whonix.org/t/etc-security-hardening/8592	2019-12-07 05:40:20 -05:00
Patrick Schleizer	52934c9288	bumped changelog version	2019-12-07 02:02:32 -05:00
Patrick Schleizer	6d92d03b31	description	2019-12-07 01:54:50 -05:00
Patrick Schleizer	0afcc5e798	bumped changelog version	2019-12-06 12:43:21 -05:00
Patrick Schleizer	af0cf058e7	bumped changelog version	2019-12-06 11:18:20 -05:00
Patrick Schleizer	bff425fec2	bumped changelog version	2019-12-06 09:32:18 -05:00
Patrick Schleizer	470cad6e91	remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in) https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707	2019-12-06 05:14:02 -05:00
madaidan	af9e19c51f	Update control	2019-12-05 20:14:55 +00:00

1 2 3 4 5 ...

404 Commits