Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity
614 Commits 2 Branches 291 Tags 8.2 MiB
218cbddba9
Commit Graph

126 Commits

Author SHA1 Message Date
Patrick Schleizer
3f068f77fe
keep cache folder outside of reach of user since even user can remove files 
owned by root in its home folder
 2019-08-19 07:47:20 +00:00
Patrick Schleizer
1fa1efa58e
credits 2019-08-19 07:22:09 +00:00
Patrick Schleizer
1e026a3ebb
initial development version of VirusForget 2019-08-18 22:50:44 +00:00
Patrick Schleizer
41b2819ec8
PAM: abort on locked password 
to avoid needlessly bumping pam_tally2 counter

https://forums.whonix.org/t/restrict-root-access/7658/1
 2019-08-17 10:33:47 +00:00
Patrick Schleizer
ed90d8b025
change default umask to 027 
as per:

https://forums.whonix.org/t/change-default-umask/7416/47
 2019-08-17 09:55:20 +00:00
Patrick Schleizer
17cfcb63b6
code simplification; report locked account earlier 2019-08-16 10:50:56 -04:00
Patrick Schleizer
ff9bc1d7ea
informational output during PAM: 
* Show failed and remaining password attempts.
* Document unlock procedure if Linux user account got locked.
* Point out, that there is no password feedback for `su`.
* Explain locked (root) account if locked.
* /usr/share/pam-configs/tally2-security-misc
* /usr/lib/security-misc/pam_tally2-info
 2019-08-15 13:37:28 +00:00
Patrick Schleizer
454e135822
pam_tally2.so even_deny_root 2019-08-15 07:33:41 +00:00
Patrick Schleizer
63b476221c
use requisite rather than required to avoid asking for password needlessly 
if login will fail anyhow
 2019-08-15 07:30:56 +00:00
Patrick Schleizer
8fdc77fed5
output to stdout 2019-08-14 10:33:23 +00:00
Patrick Schleizer
547ba91d79
sanity test 2019-08-14 09:45:30 +00:00
Patrick Schleizer
799acad724
skip, if not a folder 2019-08-14 09:39:43 +00:00
Patrick Schleizer
6321ff5ad5
refactoring 2019-08-14 09:38:44 +00:00
Patrick Schleizer
15094cab4f
avoid ' character in usr/share/pam-configs; in description 2019-08-14 09:36:30 +00:00
Patrick Schleizer
97d1945e61
no log needed, informative output to stdout instead 2019-08-14 09:32:58 +00:00
Patrick Schleizer
a085d46c56
change priories so "pam_umask.so usergroups umask=006" runs before pam_exec.so /usr/lib/security-misc/permission-lockdown 2019-08-14 09:31:58 +00:00
Patrick Schleizer
f8c828b69a
output 2019-08-14 05:19:02 -04:00
Patrick Schleizer
e5da6d9699
copyright 2019-08-14 05:17:54 -04:00
Patrick Schleizer
1595789d7c
comment 2019-08-14 05:17:16 -04:00
Patrick Schleizer
ce06fdf911
formatting 2019-08-14 05:15:53 -04:00
Patrick Schleizer
21489111d1
run permission lockdown during pam 
https://forums.whonix.org/t/change-default-umask/7416
 2019-08-14 08:34:03 +00:00
Patrick Schleizer
52df8dc014
optional pam_umask.so usergroups umask=006 2019-08-14 07:37:21 +00:00
Patrick Schleizer
dbea7d1511
add hook etc/kernel/postinst.d/30_remove-system-map to remove system.map 
on kernel package upgrade;

self-document this package: during upgrade the following will be written
to stdout:

Setting up linux-image-4.19.0-5-amd64 (4.19.37-5+deb10u2) ...
/etc/kernel/postinst.d/30_remove-system-map:
removed '/boot/System.map-4.19.0-5-amd64
 2019-08-14 07:22:14 +00:00
Patrick Schleizer
2f37a66fd0
description 2019-08-11 10:31:29 +00:00
Patrick Schleizer
e83ec79a25
enable usr/share/pam-configs/mkhomedir-security-misc by default 2019-08-11 10:30:51 +00:00
Patrick Schleizer
1eb806a03e
pam_mkhomedir.so umask=006 2019-08-11 10:29:49 +00:00
Patrick Schleizer
c50eb3c9b0
add usr/share/pam-configs/mkhomedir-security-misc based on 
/usr/share/pam-configs/mkhomedir
 2019-08-11 10:28:55 +00:00
Patrick Schleizer
a2fa18c381
pam_tally2.so deny=100 
during testing, due to issues

d17e25272b

https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/12
 2019-08-10 07:07:28 -04:00
Patrick Schleizer
d17e25272b
effectively (not directly) add "required pam_tally2.so debug" to /etc/pam.d/common-account 
This is required because otherwise something like "sudo bash" would count as a
failed login for pam_tally2 even though it was successful.

https://bugzilla.redhat.com/show_bug.cgi?id=707660

https://forums.whonix.org/t/restrict-root-access/7658
 2019-08-10 06:06:39 -04:00
Patrick Schleizer
0f896a9d8d
add onerr=fail audit to pam_tally2 2019-08-10 06:05:37 -04:00
Patrick Schleizer
e076470f68
renamed: usr/share/pam-configs/usergroups -> usr/share/pam-configs/usergroups-security-misc 2019-08-01 11:04:58 +00:00
Patrick Schleizer
830111e99a
split usr/share/pam-configs/security-misc 
into
usr/share/pam-configs/tally2-security-misc
usr/share/pam-configs/wheel-security-misc
 2019-08-01 11:04:22 +00:00
Patrick Schleizer
89d32402b2
fix, do not use "," inside /usr/share/pam-configs files 2019-07-31 14:52:29 -04:00
Patrick Schleizer
cf90668756
lock user accounts after 5 failed authentication attempts using pam_tally2 2019-07-31 03:25:02 -04:00
Patrick Schleizer
3e29761560
debug at the end 2019-07-31 03:17:06 -04:00
Patrick Schleizer
5cdb3edb32
usr/share/pam-configs/wheel -> usr/share/pam-configs/security-misc 2019-07-31 03:16:41 -04:00
Patrick Schleizer
3f9437f1ec
Revert "set back to default group "root" rather than group "sudo" membership required to use su" 
This reverts commit 2f276cdb10.
 2019-07-17 14:25:19 -04:00
Patrick Schleizer
2f276cdb10
set back to default group "root" rather than group "sudo" membership required to use su 
since root login will be locked by default anyhow

Thanks to @madaidan for providing the rationale!

https://forums.whonix.org/t/restrict-root-access/7658/42
 2019-07-15 08:44:28 -04:00
Patrick Schleizer
6d1e8ac9a4
description 2019-07-14 11:16:49 +00:00
Patrick Schleizer
ffb61f43ea
fix, add 'group=sudo' and 'debug' for debugging 
https://forums.whonix.org/t/restrict-root-access/7658
 2019-07-14 11:11:59 +00:00
Patrick Schleizer
6af2d7facb
copyright 2019-07-13 18:12:25 +00:00
Patrick Schleizer
75f0ca565d
set -e 2019-07-13 18:12:04 +00:00
Patrick Schleizer
c389e13e1a
use pre.bsh 2019-07-13 17:59:49 +00:00
Patrick Schleizer
e9eb38b5db
formatting 2019-07-13 15:04:09 +00:00
Patrick Schleizer
cb668459e8
port umask from /etc/pam.d to /usr/share/pam-configs implementation 
https://forums.whonix.org/t/change-default-umask/7416
 2019-07-13 10:35:10 -04:00
Patrick Schleizer
69b97981f3
convert etc/pam.d/su.security-misc to usr/share/pam-configs/wheel 
https://forums.whonix.org/t/restrict-root-access/7658/32
 2019-07-13 12:33:51 +00:00
Patrick Schleizer
bea98474ba
chmod +x usr/lib/security-misc/panic-on-oops 2019-07-11 07:07:21 +00:00
madaidan
52c61011d4
Create panic-on-oops 2019-07-08 22:58:56 +00:00
Patrick Schleizer
a978fe1000
chmod +x usr/lib/security-misc/remove-system.map 2019-06-28 07:17:35 +00:00
madaidan
9392c8deb2
Update remove-system.map 2019-06-26 15:03:54 +00:00
madaidan
8ef0db17e6
Use a for loop to detect if System.map exists 2019-06-26 12:59:45 +00:00
madaidan
382e336f69
Create remove-system.map 2019-06-25 19:20:27 +00:00
Patrick Schleizer
f9acd890a7
lintian 2019-06-09 10:24:24 +00:00
Patrick Schleizer
c040117fe4
lintian 2019-05-12 10:50:34 +00:00
Patrick Schleizer
6ba1fb70d2
port to debian buster 2019-04-05 14:06:00 -04:00
Patrick Schleizer
811dcee2cb
fix lintian warning 2019-04-05 09:26:18 -04:00
Patrick Schleizer
5b3fc2f6b9
update copyright 2018-01-29 15:22:05 +00:00
Patrick Schleizer
c3b6a44e97
update copyright 2018-01-29 15:15:17 +00:00
Patrick Schleizer
ff28f5932c
update copyright 2018-01-29 15:09:42 +00:00
Patrick Schleizer
f6bc188485
comment 2017-02-28 15:22:54 +01:00
Patrick Schleizer
18e23af784
cleanup 2017-02-27 23:59:37 +00:00
Patrick Schleizer
6195450eb2
No longer ignore duplicate apt sources in apt-get-wrapper. 
No longer acceptable because these generate lots of noise in the terminal.
 2017-02-27 23:57:04 +00:00
Patrick Schleizer
191918027c
adjust apt-get-wrapper for Debian stretch's apt-get 2017-02-27 23:43:02 +00:00
Patrick Schleizer
2130b4c654
use python rather than unbuffer 
because unbuffer eats exit code when process is killed
 2017-02-27 23:16:32 +00:00
Patrick Schleizer
cc351165dc
apt-get-wrapper: 
- fix exit code handling
- code simplification
 2017-02-27 19:36:38 +00:00
Patrick Schleizer
5653b7732a
fix, show progress during apt-get-wrapper 
fix, propagate signals to apt-get child process
 2017-02-26 23:57:17 +00:00
Patrick Schleizer
49cde21078
Whonix 14 KDE plasma 5 fixes 
https://phabricator.whonix.org/T633
 2017-02-21 19:54:41 +00:00
Patrick Schleizer
5ba2a5b6ff
disable previews in nautilus by default for better security 
copied solution by @unman

https://github.com/QubesOS/qubes-issues/issues/1108

https://github.com/QubesOS/qubes-core-agent-linux/pull/39

https://phabricator.whonix.org/T500
 2017-02-19 22:25:28 +00:00
Patrick Schleizer
bddbba84a6
"$@" 2017-02-14 17:30:31 +00:00
Patrick Schleizer
9b0d3e34fc
add usr/lib/security-misc/apt-get-update-sanity-test 
a CVE-2016-1252 sanity test script
 2017-02-14 02:37:08 +00:00
Patrick Schleizer
90f175e117
double apt-get-update wrapper timeout from 120 to 240 seconds 
since it takes a bit longer than 120 seconds for me on a fast connection
 2017-02-08 14:26:26 +00:00
Patrick Schleizer
0cf6524f0f
apt-get-update: implement SIGINIT trap; hide 'ps' output 2016-12-25 02:33:44 +00:00
Patrick Schleizer
c4089d8d40
update path to /usr/lib/security-misc/apt-get-wrapper 2016-12-25 01:36:04 +00:00
Patrick Schleizer
7b01fb9341
remove obsolete comments 2016-12-25 01:35:17 +00:00
Patrick Schleizer
8160cfe1d7
moved apt-get-update and apt-get-wrapper from whonixcheck to security-misc 2016-12-25 01:29:31 +00:00
Patrick Schleizer
d3ccf0eeaf
initial commit 2015-12-15 02:00:24 +00:00