Commit Graph

401 Commits

Author SHA1 Message Date
Patrick Schleizer
7e128636b3
improve LKRG VirtualBox host configuration
as per https://github.com/openwall/lkrg/issues/82#issuecomment-886188999
2021-07-25 11:26:20 -04:00
Patrick Schleizer
257cef24ba
add LKRG compatibility settings automation for VirtualBox hosts
https://github.com/openwall/lkrg/issues/82
2021-07-24 18:03:40 -04:00
Patrick Schleizer
74e39cbf69
pam-abort-on-locked-password: more descriptive error handling
https://forums.whonix.org/t/restrict-root-access/7658/1
2021-06-20 11:18:56 -04:00
Patrick Schleizer
a67007f4b7
copyright 2021-03-17 09:45:21 -04:00
Patrick Schleizer
a1819e8cab
comment 2021-03-01 09:15:44 -05:00
Kenton Groombridge
4db7d6be64
hide-hardware-info: allow unrestricting selinuxfs
On SELinux systems, the /sys/fs/selinux directory must be visible to
userspace utilities in order to function properly.
2021-02-06 03:02:08 -05:00
Patrick Schleizer
af3244741d
comment 2021-01-29 23:15:52 -05:00
Patrick Schleizer
b0b7f569ee
comment 2021-01-28 02:11:54 -05:00
Patrick Schleizer
9622f28e25
skip counting failed login attempts from dovecot
Failed dovecot logins should not result in account getting locked.

revert "use pam_tally2 only for login"
2021-01-27 05:49:34 -05:00
Patrick Schleizer
6757104aa4
use pam_tally2 only for login
to skip counting failed login attempts over ssh and mail login
2021-01-24 05:04:48 -05:00
Patrick Schleizer
c5097ed599
comment 2020-12-06 04:23:09 -05:00
Patrick Schleizer
c031f22995
SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists
`whitelists_disable_all=true`
2020-12-01 05:14:48 -05:00
Patrick Schleizer
b09cc0de6a
Revert "SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists"
This reverts commit 36a471ebce.
2020-12-01 05:10:26 -05:00
Patrick Schleizer
36a471ebce
SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists
`whitelists_disable_all=true`
2020-12-01 05:02:34 -05:00
Patrick Schleizer
28a326a8a1
add feature /usr/lib/security-misc/permission-hardening-undo /path/to/filename
to allow removing 1 SUID

fix, show INFO message if file does not exist during removal rather than ERROR
2020-11-28 05:31:12 -05:00
Patrick Schleizer
abae787186
usability: pam abort when attempting to login to root when root password is locked 2020-11-05 06:47:16 -05:00
Patrick Schleizer
581e31af81
comment 2020-11-05 06:46:57 -05:00
Patrick Schleizer
dfe9b0f6c7
fix, no longer unconditionally abort pam for user accounts with locked passwords
as locked user accounts might have valid sudoers exceptions

Thanks to @mimp for the bug report!

https://forums.whonix.org/t/pam-abort-on-locked-password-and-running-privileged-command-from-web-browser/10521
2020-11-05 06:42:47 -05:00
Patrick Schleizer
211769dc65
comment 2020-11-05 06:41:51 -05:00
Patrick Schleizer
7952139731
comment 2020-11-05 06:39:32 -05:00
Patrick Schleizer
bb72c1278d
copyright 2020-11-05 06:36:39 -05:00
Patrick Schleizer
5c81e1f23f
import from anon-gpg-conf 2020-04-06 09:25:45 -04:00
Patrick Schleizer
1188a44f47
port to python 3.7 2020-04-04 16:49:30 -04:00
Patrick Schleizer
2ceea8d1fe
update copyright year 2020-04-01 08:49:59 -04:00
Patrick Schleizer
649ec5dfa1
pkexec wrapper: fix gdebi / synaptic
but at cost of checking for passwordless sudo /etc/suders /etc/sudoers.d
exceptions.

http://forums.whonix.org/t/cannot-use-pkexec/8129/53
2020-02-29 04:59:56 -05:00
Patrick Schleizer
9bbae903fe
remove-system.map: lower verbosity output 2020-02-15 05:29:48 -05:00
madaidan
31009f0bfa
Shred System.map files 2020-02-14 23:46:19 +00:00
Patrick Schleizer
1f6ed2cc70
add support for passing parameters to usr/lib/security-misc/apt-get-update 2020-02-03 08:55:20 -05:00
Patrick Schleizer
8627c9f76d
/usr/lib/security-misc/apt-get-update increase default timeout_after="600" 2020-01-31 12:18:02 -05:00
Patrick Schleizer
829e28aa90
/usr/lib/security-misc/apt-get-update environment variable timeout_after kill_after support 2020-01-31 12:17:07 -05:00
Patrick Schleizer
d4a37b6df2
remove-system.map: source /usr/lib/helper-scripts/pre.bsh 2020-01-24 03:18:17 -05:00
Patrick Schleizer
18041efa2f
fix pam tally2 check when read-only disk boot without ro-mode-init or grub-live 2020-01-21 10:01:17 -05:00
Patrick Schleizer
80159545a5
fix xfce4-power-manager xfpm-power-backlight-helper pkexec lxsudo popup
https://forums.whonix.org/t/xfce4-power-manager-xfpm-power-backlight-helper-pkexec-lxsudo-popup/8764

do show lxqt-sudo password prompt if there is a sudoers exceptoin

improved pkexec wrapper logging
2020-01-15 02:42:10 -05:00
Patrick Schleizer
d90ca4b1ad
refactoring 2020-01-14 15:12:13 -05:00
Patrick Schleizer
082f04f2d4
add logging to pkexec wrapper 2020-01-14 15:04:58 -05:00
Patrick Schleizer
5031e7cc4b
better output if trying to login with non-existing user 2019-12-31 08:18:38 -05:00
Patrick Schleizer
20697db3ee
improve console lockdown info output 2019-12-31 02:53:02 -05:00
Patrick Schleizer
788914de95
group ssh check was removed
https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/27
2019-12-31 02:46:32 -05:00
Patrick Schleizer
1a0f7a7733
debugging 2019-12-29 04:43:32 -05:00
Patrick Schleizer
5271892cb1
debugging 2019-12-29 04:42:54 -05:00
Patrick Schleizer
683028049c
debugging 2019-12-29 04:41:23 -05:00
Patrick Schleizer
e3e1ff2a31
exit with error if a config line cannot be processed rather than skipping
https://forums.whonix.org/t/disable-suid-binaries/7706/59
2019-12-29 04:35:46 -05:00
Patrick Schleizer
d5c99f3a60
output 2019-12-29 04:27:21 -05:00
Patrick Schleizer
04f438f75d
comment 2019-12-24 18:09:37 -05:00
Patrick Schleizer
9da0e428ed
debugging 2019-12-24 17:54:31 -05:00
Patrick Schleizer
e18ec533c3
comment 2019-12-24 17:54:02 -05:00
Patrick Schleizer
f8f2e6c704
fix disablewhitelist feature 2019-12-23 02:35:13 -05:00
Patrick Schleizer
47ddcad0c0
rename keyword whitelist to exactwhitelist
add new keyword disablewhitelist

refactoring
2019-12-23 02:29:47 -05:00
Patrick Schleizer
34bf245713
output 2019-12-23 01:35:45 -05:00
Patrick Schleizer
ba30e45d15
output 2019-12-23 01:32:42 -05:00
Patrick Schleizer
ee9c5742da
output 2019-12-23 01:29:48 -05:00
Patrick Schleizer
6d05359abc
output 2019-12-23 01:21:52 -05:00
Patrick Schleizer
a1e78e8515
fix needlessly re-adding entries 2019-12-23 01:20:56 -05:00
Patrick Schleizer
906b3d32e7
output 2019-12-23 01:09:57 -05:00
Patrick Schleizer
4f76867da6
lower debugging 2019-12-23 01:08:02 -05:00
Patrick Schleizer
dc6e5d8508
fix 2019-12-23 01:06:38 -05:00
Patrick Schleizer
87b999f92a
refactoring 2019-12-23 00:59:43 -05:00
Patrick Schleizer
065ff4bd05
sanity_tests 2019-12-23 00:59:24 -05:00
Patrick Schleizer
fef1469fe6
exit non-zero if capability removal failed 2019-12-23 00:51:14 -05:00
Patrick Schleizer
17a8c29470
fix capability removal error handling
https://forums.whonix.org/t/disable-suid-binaries/7706/45
2019-12-23 00:47:49 -05:00
Patrick Schleizer
b631e2ecd8
refactoring 2019-12-23 00:36:41 -05:00
Patrick Schleizer
7aea304549
comment 2019-12-23 00:26:15 -05:00
Patrick Schleizer
f4b1df02ee
Remove suid / gid and execute permission for 'group' and 'others'.
Similar to: chmod og-ugx /path/to/filename

Removing execution permission is useful to make binaries such as 'su' fail closed rather
than fail open if suid was removed from these.

Do not remove read access since no security benefit and easier to manually undo for users.

chmod 744
2019-12-22 19:42:40 -05:00
Patrick Schleizer
d300db3cde
output 2019-12-21 14:45:11 -05:00
Patrick Schleizer
3921846df6
comment 2019-12-21 14:36:42 -05:00
Patrick Schleizer
1e8457ea47
no longer remount /lib
https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25
2019-12-21 14:06:10 -05:00
Patrick Schleizer
10c19d6a8f
Merge remote-tracking branch 'origin/master' 2019-12-21 13:00:41 -05:00
madaidan
f5a52aeddc
Don't remount /sys/kernel/security 2019-12-21 14:55:28 +00:00
Patrick Schleizer
b2260f48f4
add support for /etc/exec / /usr/local/etc/exec
to allow enabling exec on a per VM basis
2019-12-21 08:03:33 -05:00
Patrick Schleizer
b74e5ca972
comment 2019-12-21 07:47:00 -05:00
Patrick Schleizer
8fb17624bc
comment 2019-12-21 07:44:51 -05:00
Patrick Schleizer
aef796a524
disable debugging 2019-12-21 07:44:23 -05:00
Patrick Schleizer
1fe83d683f
comment 2019-12-21 07:43:55 -05:00
Patrick Schleizer
7c3da38bd5
comment 2019-12-21 07:42:25 -05:00
Patrick Schleizer
9050058bc2
fix 2019-12-21 07:42:01 -05:00
Patrick Schleizer
6b13a644df
add /usr/lib/security-misc/permission-hardening-undo 2019-12-21 07:37:41 -05:00
Patrick Schleizer
c336bc4fd2
comment 2019-12-21 06:39:13 -05:00
Patrick Schleizer
b5f88efe20
fix 2019-12-21 06:27:01 -05:00
Patrick Schleizer
2088628c8d
debugging 2019-12-21 06:24:08 -05:00
Patrick Schleizer
2dca031527
debugging 2019-12-21 06:22:46 -05:00
Patrick Schleizer
195e00cc87
output 2019-12-21 06:16:38 -05:00
Patrick Schleizer
4b21b6df41
fix 2019-12-21 06:11:44 -05:00
Patrick Schleizer
8436da2b7b
output 2019-12-21 05:58:50 -05:00
Patrick Schleizer
da15265e1c
fix 2019-12-21 05:55:23 -05:00
Patrick Schleizer
2a248fe0de
fix 2019-12-21 05:54:39 -05:00
Patrick Schleizer
4f12664362
output 2019-12-21 05:54:07 -05:00
Patrick Schleizer
e3355843c8
fix 2019-12-21 05:51:22 -05:00
Patrick Schleizer
234ec5fe93
fix 2019-12-21 05:47:35 -05:00
Patrick Schleizer
7ff900c204
fix 2019-12-21 05:37:43 -05:00
Patrick Schleizer
e1a5ee4bcf
output 2019-12-21 05:26:55 -05:00
Patrick Schleizer
66aaf3e22c
output 2019-12-21 05:25:54 -05:00
Patrick Schleizer
7aa7d0b5a0
improve error handling 2019-12-21 05:22:27 -05:00
Patrick Schleizer
8919d38de9
disable debugging 2019-12-21 05:21:46 -05:00
Patrick Schleizer
cf5dee64fd
refactoring 2019-12-21 05:18:34 -05:00
Patrick Schleizer
29cd9a0c38
fix 2019-12-21 05:17:35 -05:00
Patrick Schleizer
486027a4d7
fix 2019-12-21 05:15:38 -05:00
Patrick Schleizer
1fd26be864
fix 2019-12-21 05:14:51 -05:00
Patrick Schleizer
0fc97c37be
fix 2019-12-21 05:14:39 -05:00
Patrick Schleizer
1018d5b3b0
output 2019-12-21 05:11:51 -05:00
Patrick Schleizer
4388fc4d5a
refactoring 2019-12-21 05:11:19 -05:00