Patrick Schleizer
e5d7ab7082
comment
2022-11-15 12:44:12 -05:00
Patrick Schleizer
23b936b573
also support /usr/local/etc/pam-info-debug
2022-11-15 12:31:14 -05:00
Patrick Schleizer
95487346db
pam-info: create debug log file ~/pam-info-debug.txt
...
when file /etc/pam-info-debug exists
2022-11-15 12:29:41 -05:00
Patrick Schleizer
2872c2ab52
comments
2022-11-15 12:00:59 -05:00
Patrick Schleizer
6033de7815
debugging
2022-11-15 11:58:50 -05:00
Patrick Schleizer
272a33fe2c
addgroup -> adduser fix
2022-08-13 11:35:25 -04:00
Patrick Schleizer
82da4ed18f
comments
2022-07-28 09:56:24 -04:00
Patrick Schleizer
a6bee1493d
cold-boot-attack-defense wait longer to make messages readable by user
2022-07-28 09:55:12 -04:00
Patrick Schleizer
053142cdb5
fix
2022-07-26 10:00:21 -04:00
Patrick Schleizer
3b844eaab2
output
2022-07-09 11:42:11 -04:00
Patrick Schleizer
73d2c9d921
output
2022-07-09 11:40:15 -04:00
Patrick Schleizer
adfdac6dea
output
2022-07-09 11:40:01 -04:00
Patrick Schleizer
1df2cfd1ad
comment
2022-07-09 11:38:37 -04:00
Patrick Schleizer
fede41e6e0
fix
2022-07-09 11:38:04 -04:00
Krish-sysadmin
e5f8004a94
Update hide-hardware-info
2022-07-05 03:37:40 +02:00
Patrick Schleizer
69af8be7b8
drop_caches before and after sdmem
2022-07-02 19:10:55 -04:00
Patrick Schleizer
67bdd58bf2
sync
2022-07-02 19:07:06 -04:00
Patrick Schleizer
973f117aa6
wipe RAM at shutdown: Ensure any remaining disk cache is erased by Linux' memory poisoning
...
by running:
`echo 3 > /proc/sys/vm/drop_caches`
Inspired by Tails:
https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/usr/local/lib/initramfs-pre-shutdown-hook
2022-07-02 18:12:36 -04:00
Patrick Schleizer
95187bd357
fix
2022-07-02 17:21:33 -04:00
Patrick Schleizer
148a050468
fix
2022-07-02 16:03:45 -04:00
Patrick Schleizer
82e7863d5b
improvement
2022-07-02 16:02:28 -04:00
Patrick Schleizer
1144b39e5e
debugging
2022-07-02 15:50:59 -04:00
Patrick Schleizer
c29b21c08a
output
2022-07-02 15:45:19 -04:00
Patrick Schleizer
d34fe21963
fix
2022-07-02 15:32:42 -04:00
Patrick Schleizer
32fdcf522b
- introduce wiperam=skip
kernel parameter to skip wipe ram
...
- introduce `wiperam=force` kernel parameter to force wipe ram inside VMs
2022-06-30 14:47:45 -04:00
Patrick Schleizer
036f518ddc
improvement
2022-06-30 13:56:29 -04:00
Patrick Schleizer
0e2fae2b69
skip ram wipe inside VMs
...
https://forums.whonix.org/t/is-ram-wipe-possible-inside-whonix-cold-boot-attack-defense/5596/40
2022-06-30 13:50:18 -04:00
Patrick Schleizer
e06405c7be
undo
2022-06-29 16:56:16 -04:00
Patrick Schleizer
1b97d9cb76
fix
2022-06-29 16:30:31 -04:00
Patrick Schleizer
92c543e71f
output
2022-06-29 16:24:52 -04:00
Patrick Schleizer
d4161b2748
output
2022-06-29 16:23:42 -04:00
Patrick Schleizer
1ce7b27297
improvement
2022-06-29 16:23:12 -04:00
Patrick Schleizer
8b584c570a
lintian
2022-06-29 16:06:22 -04:00
Patrick Schleizer
f5e0c1742a
credits
2022-06-29 16:02:05 -04:00
Patrick Schleizer
42e24f3c24
update file names
2022-06-29 15:54:49 -04:00
Patrick Schleizer
52aaac9b6d
rename
2022-06-29 15:53:52 -04:00
Patrick Schleizer
619bb3cf4d
rename
2022-06-29 15:53:24 -04:00
Patrick Schleizer
2a8504cf1b
move
2022-06-29 15:51:14 -04:00
Patrick Schleizer
af8b211c23
improvements
2022-06-29 15:50:20 -04:00
Patrick Schleizer
e9cd5d934b
copyright
2022-06-29 15:24:27 -04:00
Patrick Schleizer
1c51d15649
lintian
2022-06-29 15:23:53 -04:00
Patrick Schleizer
9ab81d4581
do not power off too fast so wipe ram messages can be read
2022-06-29 15:22:00 -04:00
Patrick Schleizer
19439033de
copyright
2022-06-29 15:19:56 -04:00
Patrick Schleizer
fc202ede16
delete no longer required usr/lib/dracut/modules.d/40sdmem-security-misc/README.md
2022-06-29 15:18:28 -04:00
Patrick Schleizer
6d3a08a936
improvements
2022-06-29 15:17:40 -04:00
Patrick Schleizer
6eba53767f
lintian
2022-06-29 14:17:52 -04:00
Patrick Schleizer
8a072437cc
ram wipe on shutdown: fix, added need_shutdown
hook
...
Otherwise dracut does not run on shutdown.
Without `need_shutdown` file `/run/initramfs/.need_shutdown` does not get created.
And without that file `/usr/lib/dracut/dracut-initramfs-restore`,
which itself is started by `/lib/systemd/system/dracut-shutdown.service` does nothing.
2022-06-29 14:13:30 -04:00
Patrick Schleizer
924077e04c
verbose
2022-06-29 13:02:53 -04:00
Patrick Schleizer
db301dfd7f
comment
2022-06-29 13:02:39 -04:00
Patrick Schleizer
73d2ada0de
comment
2022-06-29 13:02:01 -04:00
Patrick Schleizer
295811a88f
improvements
2022-06-29 11:14:52 -04:00
Patrick Schleizer
cfae7de6a8
lintian
2022-06-29 09:58:37 -04:00
Patrick Schleizer
024d52a67e
improve usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh
2022-06-29 09:52:53 -04:00
Patrick Schleizer
29253004b6
minor
2022-06-29 09:38:18 -04:00
Patrick Schleizer
6f19af1542
add shebang /bin/sh
...
to fix lintian warning
security-misc: executable-not-elf-or-script usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh
2022-06-29 09:35:08 -04:00
Patrick Schleizer
38cdf2722b
- Wipe LUKS Disk Encryption Key for Root Disk from RAM during Shutdown to defeat Cold Boot Attacks
...
- Confirm in console output if encrypted mounts (root disk) is unmounted. (Because that is a pre-condition for wiping the LUKS full disk encryption key from RAM.)
Thanks to @friedy10!
https://github.com/friedy10/dracut/tree/master/modules.d/40sdmem
https://forums.whonix.org/t/is-ram-wipe-possible-inside-whonix-cold-boot-attack-defense/5596
2022-06-29 09:32:55 -04:00
Patrick Schleizer
d7dd188651
remove unicode
2022-06-08 09:27:02 -04:00
Patrick Schleizer
55d16e1602
remove unicode
2022-06-08 09:04:03 -04:00
Kuri Schlarb
2bdda9d0a0
permssion-hardening: Do not skip config file lines without trailing newline (ancient bash bug)
2022-06-07 08:18:05 +00:00
Kuri Schlarb
9fd8e1c9b0
permission-hardening: Fix issue with pipelining failures causing incorrect user/group lookup results
2022-06-07 08:03:56 +00:00
Patrick Schleizer
2d37e3a1af
copyright
2022-05-20 14:46:38 -04:00
Patrick Schleizer
7651308787
Merge pull request #103 from 0xC0ncord/bugfix/selinuxfs_restrictions
...
hide-hardware-info: re-enable restrictions on sysfs when using SELinux
2022-05-19 19:39:42 -04:00
Patrick Schleizer
bb0307290b
update link
2022-04-16 14:18:35 -04:00
0xC0ncord
93efa506da
hide-hardware-info: disable selinux whitelist by default
2022-03-17 11:41:57 -04:00
Patrick Schleizer
b0a0004a85
output
2022-02-10 13:47:10 -05:00
Patrick Schleizer
4f6f588fb5
fix, skip deletion of system.map files on read-only filesystems
...
This is required for Qubes /lib/modules read-only implementation at time of writing.
Thanks to @marmarek for the bug report!
https://forums.whonix.org/t/remove-system-map-cannot-work-lib-modules-is-mounted-read-only/13324
2022-02-10 13:44:55 -05:00
0xC0ncord
4172232eb7
hide-hardware-info: make indentation consistent
2021-10-10 16:03:40 -04:00
0xC0ncord
060d7d890a
hide-hardware-info: re-enable restrictions on sysfs when using SELinux
...
When using SELinux, restrict the parts of sysfs explicitly to ensure
restrictions are working as expected.
2021-10-10 16:03:07 -04:00
Patrick Schleizer
be8c10496f
fix faillock implementation
...
dovecot / ssh are exempted
2021-09-01 15:55:53 -04:00
Patrick Schleizer
8b104f544a
fix, add sshd to pam_service_exclusion_list
...
to avoid faillock
2021-09-01 15:45:36 -04:00
Patrick Schleizer
db43cedcfd
LANG=C str_replace
2021-08-22 05:23:24 -04:00
Patrick Schleizer
582492d6d8
port from pam_tally2 to pam_faillock
...
since pam_tally2 was deprecated upstream
2021-08-10 17:13:00 -04:00
Patrick Schleizer
2bf0e7471c
port from pam_tally2 to pam_faillock
...
since pam_tally2 was deprecated upstream
2021-08-10 15:11:01 -04:00
Patrick Schleizer
2aea74bd71
renamed: usr/libexec/security-misc/pam_tally2-info -> usr/libexec/security-misc/pam-info
...
renamed: usr/libexec/security-misc/pam_tally2_not_if_x -> usr/libexec/security-misc/pam_faillock_not_if_x
renamed: usr/share/pam-configs/tally2-security-misc -> usr/share/pam-configs/faillock-security-misc
2021-08-10 15:06:04 -04:00
Patrick Schleizer
50bdd097df
move /usr/lib/security-misc to /usr/libexec/security-misc as per lintian FHS
2021-08-03 12:56:31 -04:00
Patrick Schleizer
4fadaad8c0
lintian FHS
2021-08-03 12:52:10 -04:00
Patrick Schleizer
6607c1e4bd
move /usr/lib/helper-scripts and /usr/lib/curl-scripts to /usr/libexec/helper-scripts as per lintian FHS
2021-08-03 12:48:57 -04:00
Patrick Schleizer
240ec7672a
replace no longer required /usr/lib/security-misc/apt-get-wrapper
with apt-get --error-on=any
2021-08-03 12:19:26 -04:00
Patrick Schleizer
8eae635668
update lintian tag name
2021-08-03 11:51:31 -04:00
Patrick Schleizer
bb3e65f7a8
bullseye
2021-08-03 03:25:35 -04:00
Patrick Schleizer
b3e34f7f43
comment
2021-07-25 11:27:07 -04:00
Patrick Schleizer
7e128636b3
improve LKRG VirtualBox host configuration
...
as per https://github.com/openwall/lkrg/issues/82#issuecomment-886188999
2021-07-25 11:26:20 -04:00
Patrick Schleizer
257cef24ba
add LKRG compatibility settings automation for VirtualBox hosts
...
https://github.com/openwall/lkrg/issues/82
2021-07-24 18:03:40 -04:00
Patrick Schleizer
74e39cbf69
pam-abort-on-locked-password: more descriptive error handling
...
https://forums.whonix.org/t/restrict-root-access/7658/1
2021-06-20 11:18:56 -04:00
Patrick Schleizer
a67007f4b7
copyright
2021-03-17 09:45:21 -04:00
Patrick Schleizer
a1819e8cab
comment
2021-03-01 09:15:44 -05:00
Kenton Groombridge
4db7d6be64
hide-hardware-info: allow unrestricting selinuxfs
...
On SELinux systems, the /sys/fs/selinux directory must be visible to
userspace utilities in order to function properly.
2021-02-06 03:02:08 -05:00
Patrick Schleizer
af3244741d
comment
2021-01-29 23:15:52 -05:00
Patrick Schleizer
b0b7f569ee
comment
2021-01-28 02:11:54 -05:00
Patrick Schleizer
9622f28e25
skip counting failed login attempts from dovecot
...
Failed dovecot logins should not result in account getting locked.
revert "use pam_tally2 only for login"
2021-01-27 05:49:34 -05:00
Patrick Schleizer
6757104aa4
use pam_tally2 only for login
...
to skip counting failed login attempts over ssh and mail login
2021-01-24 05:04:48 -05:00
Patrick Schleizer
c5097ed599
comment
2020-12-06 04:23:09 -05:00
Patrick Schleizer
c031f22995
SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists
...
`whitelists_disable_all=true`
2020-12-01 05:14:48 -05:00
Patrick Schleizer
b09cc0de6a
Revert "SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists"
...
This reverts commit 36a471ebce
.
2020-12-01 05:10:26 -05:00
Patrick Schleizer
36a471ebce
SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists
...
`whitelists_disable_all=true`
2020-12-01 05:02:34 -05:00
Patrick Schleizer
28a326a8a1
add feature /usr/lib/security-misc/permission-hardening-undo /path/to/filename
...
to allow removing 1 SUID
fix, show INFO message if file does not exist during removal rather than ERROR
2020-11-28 05:31:12 -05:00
Patrick Schleizer
abae787186
usability: pam abort when attempting to login to root when root password is locked
2020-11-05 06:47:16 -05:00
Patrick Schleizer
581e31af81
comment
2020-11-05 06:46:57 -05:00
Patrick Schleizer
dfe9b0f6c7
fix, no longer unconditionally abort pam for user accounts with locked passwords
...
as locked user accounts might have valid sudoers exceptions
Thanks to @mimp for the bug report!
https://forums.whonix.org/t/pam-abort-on-locked-password-and-running-privileged-command-from-web-browser/10521
2020-11-05 06:42:47 -05:00
Patrick Schleizer
211769dc65
comment
2020-11-05 06:41:51 -05:00
Patrick Schleizer
7952139731
comment
2020-11-05 06:39:32 -05:00
Patrick Schleizer
bb72c1278d
copyright
2020-11-05 06:36:39 -05:00
Patrick Schleizer
5c81e1f23f
import from anon-gpg-conf
2020-04-06 09:25:45 -04:00
Patrick Schleizer
1188a44f47
port to python 3.7
2020-04-04 16:49:30 -04:00
Patrick Schleizer
2ceea8d1fe
update copyright year
2020-04-01 08:49:59 -04:00
Patrick Schleizer
649ec5dfa1
pkexec wrapper: fix gdebi / synaptic
...
but at cost of checking for passwordless sudo /etc/suders /etc/sudoers.d
exceptions.
http://forums.whonix.org/t/cannot-use-pkexec/8129/53
2020-02-29 04:59:56 -05:00
Patrick Schleizer
9bbae903fe
remove-system.map: lower verbosity output
2020-02-15 05:29:48 -05:00
madaidan
31009f0bfa
Shred System.map files
2020-02-14 23:46:19 +00:00
Patrick Schleizer
1f6ed2cc70
add support for passing parameters to usr/lib/security-misc/apt-get-update
2020-02-03 08:55:20 -05:00
Patrick Schleizer
8627c9f76d
/usr/lib/security-misc/apt-get-update increase default timeout_after="600"
2020-01-31 12:18:02 -05:00
Patrick Schleizer
829e28aa90
/usr/lib/security-misc/apt-get-update environment variable timeout_after kill_after support
2020-01-31 12:17:07 -05:00
Patrick Schleizer
d4a37b6df2
remove-system.map: source /usr/lib/helper-scripts/pre.bsh
2020-01-24 03:18:17 -05:00
Patrick Schleizer
18041efa2f
fix pam tally2 check when read-only disk boot without ro-mode-init or grub-live
2020-01-21 10:01:17 -05:00
Patrick Schleizer
80159545a5
fix xfce4-power-manager xfpm-power-backlight-helper pkexec lxsudo popup
...
https://forums.whonix.org/t/xfce4-power-manager-xfpm-power-backlight-helper-pkexec-lxsudo-popup/8764
do show lxqt-sudo password prompt if there is a sudoers exceptoin
improved pkexec wrapper logging
2020-01-15 02:42:10 -05:00
Patrick Schleizer
d90ca4b1ad
refactoring
2020-01-14 15:12:13 -05:00
Patrick Schleizer
082f04f2d4
add logging to pkexec wrapper
2020-01-14 15:04:58 -05:00
Patrick Schleizer
5031e7cc4b
better output if trying to login with non-existing user
2019-12-31 08:18:38 -05:00
Patrick Schleizer
20697db3ee
improve console lockdown info output
2019-12-31 02:53:02 -05:00
Patrick Schleizer
788914de95
group ssh check was removed
...
https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/27
2019-12-31 02:46:32 -05:00
Patrick Schleizer
1a0f7a7733
debugging
2019-12-29 04:43:32 -05:00
Patrick Schleizer
5271892cb1
debugging
2019-12-29 04:42:54 -05:00
Patrick Schleizer
683028049c
debugging
2019-12-29 04:41:23 -05:00
Patrick Schleizer
e3e1ff2a31
exit with error if a config line cannot be processed rather than skipping
...
https://forums.whonix.org/t/disable-suid-binaries/7706/59
2019-12-29 04:35:46 -05:00
Patrick Schleizer
d5c99f3a60
output
2019-12-29 04:27:21 -05:00
Patrick Schleizer
04f438f75d
comment
2019-12-24 18:09:37 -05:00
Patrick Schleizer
9da0e428ed
debugging
2019-12-24 17:54:31 -05:00
Patrick Schleizer
e18ec533c3
comment
2019-12-24 17:54:02 -05:00
Patrick Schleizer
f8f2e6c704
fix disablewhitelist feature
2019-12-23 02:35:13 -05:00
Patrick Schleizer
47ddcad0c0
rename keyword whitelist to exactwhitelist
...
add new keyword disablewhitelist
refactoring
2019-12-23 02:29:47 -05:00
Patrick Schleizer
34bf245713
output
2019-12-23 01:35:45 -05:00
Patrick Schleizer
ba30e45d15
output
2019-12-23 01:32:42 -05:00
Patrick Schleizer
ee9c5742da
output
2019-12-23 01:29:48 -05:00
Patrick Schleizer
6d05359abc
output
2019-12-23 01:21:52 -05:00
Patrick Schleizer
a1e78e8515
fix needlessly re-adding entries
2019-12-23 01:20:56 -05:00
Patrick Schleizer
906b3d32e7
output
2019-12-23 01:09:57 -05:00
Patrick Schleizer
4f76867da6
lower debugging
2019-12-23 01:08:02 -05:00
Patrick Schleizer
dc6e5d8508
fix
2019-12-23 01:06:38 -05:00
Patrick Schleizer
87b999f92a
refactoring
2019-12-23 00:59:43 -05:00
Patrick Schleizer
065ff4bd05
sanity_tests
2019-12-23 00:59:24 -05:00
Patrick Schleizer
fef1469fe6
exit non-zero if capability removal failed
2019-12-23 00:51:14 -05:00
Patrick Schleizer
17a8c29470
fix capability removal error handling
...
https://forums.whonix.org/t/disable-suid-binaries/7706/45
2019-12-23 00:47:49 -05:00
Patrick Schleizer
b631e2ecd8
refactoring
2019-12-23 00:36:41 -05:00
Patrick Schleizer
7aea304549
comment
2019-12-23 00:26:15 -05:00
Patrick Schleizer
f4b1df02ee
Remove suid / gid and execute permission for 'group' and 'others'.
...
Similar to: chmod og-ugx /path/to/filename
Removing execution permission is useful to make binaries such as 'su' fail closed rather
than fail open if suid was removed from these.
Do not remove read access since no security benefit and easier to manually undo for users.
chmod 744
2019-12-22 19:42:40 -05:00
Patrick Schleizer
d300db3cde
output
2019-12-21 14:45:11 -05:00
Patrick Schleizer
3921846df6
comment
2019-12-21 14:36:42 -05:00
Patrick Schleizer
1e8457ea47
no longer remount /lib
...
https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25
2019-12-21 14:06:10 -05:00
Patrick Schleizer
10c19d6a8f
Merge remote-tracking branch 'origin/master'
2019-12-21 13:00:41 -05:00
madaidan
f5a52aeddc
Don't remount /sys/kernel/security
2019-12-21 14:55:28 +00:00
Patrick Schleizer
b2260f48f4
add support for /etc/exec / /usr/local/etc/exec
...
to allow enabling exec on a per VM basis
2019-12-21 08:03:33 -05:00
Patrick Schleizer
b74e5ca972
comment
2019-12-21 07:47:00 -05:00
Patrick Schleizer
8fb17624bc
comment
2019-12-21 07:44:51 -05:00
Patrick Schleizer
aef796a524
disable debugging
2019-12-21 07:44:23 -05:00
Patrick Schleizer
1fe83d683f
comment
2019-12-21 07:43:55 -05:00
Patrick Schleizer
7c3da38bd5
comment
2019-12-21 07:42:25 -05:00
Patrick Schleizer
9050058bc2
fix
2019-12-21 07:42:01 -05:00
Patrick Schleizer
6b13a644df
add /usr/lib/security-misc/permission-hardening-undo
2019-12-21 07:37:41 -05:00
Patrick Schleizer
c336bc4fd2
comment
2019-12-21 06:39:13 -05:00
Patrick Schleizer
b5f88efe20
fix
2019-12-21 06:27:01 -05:00
Patrick Schleizer
2088628c8d
debugging
2019-12-21 06:24:08 -05:00
Patrick Schleizer
2dca031527
debugging
2019-12-21 06:22:46 -05:00
Patrick Schleizer
195e00cc87
output
2019-12-21 06:16:38 -05:00
Patrick Schleizer
4b21b6df41
fix
2019-12-21 06:11:44 -05:00
Patrick Schleizer
8436da2b7b
output
2019-12-21 05:58:50 -05:00
Patrick Schleizer
da15265e1c
fix
2019-12-21 05:55:23 -05:00
Patrick Schleizer
2a248fe0de
fix
2019-12-21 05:54:39 -05:00
Patrick Schleizer
4f12664362
output
2019-12-21 05:54:07 -05:00
Patrick Schleizer
e3355843c8
fix
2019-12-21 05:51:22 -05:00
Patrick Schleizer
234ec5fe93
fix
2019-12-21 05:47:35 -05:00
Patrick Schleizer
7ff900c204
fix
2019-12-21 05:37:43 -05:00
Patrick Schleizer
e1a5ee4bcf
output
2019-12-21 05:26:55 -05:00
Patrick Schleizer
66aaf3e22c
output
2019-12-21 05:25:54 -05:00
Patrick Schleizer
7aa7d0b5a0
improve error handling
2019-12-21 05:22:27 -05:00
Patrick Schleizer
8919d38de9
disable debugging
2019-12-21 05:21:46 -05:00
Patrick Schleizer
cf5dee64fd
refactoring
2019-12-21 05:18:34 -05:00
Patrick Schleizer
29cd9a0c38
fix
2019-12-21 05:17:35 -05:00
Patrick Schleizer
486027a4d7
fix
2019-12-21 05:15:38 -05:00
Patrick Schleizer
1fd26be864
fix
2019-12-21 05:14:51 -05:00
Patrick Schleizer
0fc97c37be
fix
2019-12-21 05:14:39 -05:00
Patrick Schleizer
1018d5b3b0
output
2019-12-21 05:11:51 -05:00
Patrick Schleizer
4388fc4d5a
refactoring
2019-12-21 05:11:19 -05:00
Patrick Schleizer
ed20980f4c
refactoring
2019-12-21 05:07:10 -05:00
Patrick Schleizer
315ce86b9a
refactoring
2019-12-21 04:33:03 -05:00
Patrick Schleizer
0c5848494b
do not remount if already has intended mount options
2019-12-21 04:21:26 -05:00
Patrick Schleizer
203f4ad46e
refactoring
2019-12-21 04:17:10 -05:00
Patrick Schleizer
e7fd0dadb0
output
2019-12-21 04:09:35 -05:00
Patrick Schleizer
e6ea21c775
record existing modes in separate dpkg-statoverwrite databases
...
to have a history of what was modified and to allow to undo changes
2019-12-21 04:08:35 -05:00
Patrick Schleizer
17e8605119
add matchwhitelist feature
...
add "/usr/lib/virtualbox/ matchwhitelist"
2019-12-20 12:57:24 -05:00
Patrick Schleizer
1b569ea790
comment
2019-12-20 12:32:36 -05:00
Patrick Schleizer
f88ca25889
fix terminology, sguid -> sgid
...
Thanks to @madaidan for the bug report!
https://forums.whonix.org/t/permission-hardening/8655/21
2019-12-20 11:58:07 -05:00
Patrick Schleizer
ff0a26fb5d
comment
2019-12-20 11:49:19 -05:00
Patrick Schleizer
71496a33ab
skip folders are these are not suid / guid
2019-12-20 11:47:53 -05:00
Patrick Schleizer
9321ecff41
no more need to add/remove /
2019-12-20 11:43:53 -05:00
Patrick Schleizer
b95225b6a6
pipefail
2019-12-20 11:37:05 -05:00
Patrick Schleizer
cad6f328f4
minor
2019-12-20 11:34:44 -05:00
Patrick Schleizer
3265f9894d
output
2019-12-20 11:27:43 -05:00
Patrick Schleizer
1615ebec58
output
2019-12-20 11:07:44 -05:00
Patrick Schleizer
1e11b775cf
output
2019-12-20 11:05:05 -05:00
Patrick Schleizer
731f802895
output
2019-12-20 11:04:12 -05:00
Patrick Schleizer
cd8efe5800
output
2019-12-20 11:03:22 -05:00
Patrick Schleizer
b31abea0af
improve error handling
2019-12-20 10:49:31 -05:00
Patrick Schleizer
79cd3b86b6
comment
2019-12-20 10:47:23 -05:00
Patrick Schleizer
b3458cc6ee
fix checking existing entries to avoid needless calls to dpkg-statoverride
2019-12-20 10:45:59 -05:00
Patrick Schleizer
370f3c5e54
comment
2019-12-20 10:35:05 -05:00
Patrick Schleizer
133d09f298
output
2019-12-20 10:33:16 -05:00
Patrick Schleizer
1ffa8e197e
speed up setuid removal by using find with '-perm /u=s,g=s'
...
https://forums.whonix.org/t/permission-hardening/8655/19
2019-12-20 10:31:26 -05:00
Patrick Schleizer
4cfdf2c65b
fix, re-enforce nosuid even if changed on the disk
2019-12-20 10:21:27 -05:00
Patrick Schleizer
e36868e675
output
2019-12-20 10:02:46 -05:00
Patrick Schleizer
50b8f65490
add sanity test: count if we really processed all files
2019-12-20 09:59:28 -05:00
Patrick Schleizer
55faa7b997
fix missing processing files bug
...
https://forums.whonix.org/t/permission-hardening/8655/16
2019-12-20 09:43:23 -05:00
Patrick Schleizer
fbe2479f48
count processed file system objects
...
to be able to verify if any were "forgotten"
2019-12-20 08:54:56 -05:00
Patrick Schleizer
195ea522f5
fix
2019-12-20 08:52:14 -05:00
Patrick Schleizer
6f8231be70
debugging
2019-12-20 08:51:55 -05:00
Patrick Schleizer
ed50f98010
output
2019-12-20 08:47:22 -05:00
Patrick Schleizer
6d30e3b4a2
do not remove suid from whitelisted binaries ever
...
https://forums.whonix.org/t/permission-hardening/8655/13
2019-12-20 08:13:23 -05:00
Patrick Schleizer
d5f1bd8dd2
fix mode sanity check
...
no longer use seq due to issue
https://forums.whonix.org/t/permission-hardening/8655/13
2019-12-20 08:02:30 -05:00
Patrick Schleizer
0ae3e689b5
comment
2019-12-20 06:35:02 -05:00
Patrick Schleizer
050f4d8b94
comment
2019-12-20 06:34:37 -05:00
Patrick Schleizer
36043fe5cc
comment
2019-12-20 06:33:41 -05:00
Patrick Schleizer
fb4254547b
comment
2019-12-20 06:32:04 -05:00
Patrick Schleizer
cca0908d9a
fix
2019-12-20 06:11:38 -05:00
Patrick Schleizer
e254b8b52d
fix
2019-12-20 06:09:17 -05:00
Patrick Schleizer
7f8b3c76de
output
2019-12-20 06:02:17 -05:00
Patrick Schleizer
071c64dc41
enable 'set -e'
2019-12-20 06:01:49 -05:00
Patrick Schleizer
b97c66707c
minor
2019-12-20 05:59:05 -05:00
Patrick Schleizer
17b4f12276
output
2019-12-20 05:58:42 -05:00
Patrick Schleizer
918cbb4e25
output
2019-12-20 05:51:25 -05:00
Patrick Schleizer
c8cf09a4cb
output
2019-12-20 05:50:16 -05:00
Patrick Schleizer
46466c12ad
parse drop-in config folder rather than only one config file
2019-12-20 05:49:11 -05:00
Patrick Schleizer
66fd31189d
improve output if set-user-id / set-group-id is set
2019-12-20 05:37:33 -05:00
Patrick Schleizer
6dd6530fa5
remove hardening-enable
...
please invent package security-paranoid instead
https://forums.whonix.org/t/security-hardening-tool-usr-bin-hardening-enable-by-security-misc/8609
2019-12-20 05:32:26 -05:00
Patrick Schleizer
af0f074987
remount /lib with nosuid,nodev
...
https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/22
2019-12-20 05:27:11 -05:00
Patrick Schleizer
a135ae9400
use must manually enable permission-hardening.service
...
until development finished
2019-12-20 05:22:59 -05:00
Patrick Schleizer
fa6f1e1568
output
2019-12-20 05:19:39 -05:00
Patrick Schleizer
a26cb94bfd
globstar no longer required
2019-12-20 04:49:21 -05:00
Patrick Schleizer
c66e9abe18
comment
2019-12-20 04:48:57 -05:00
Patrick Schleizer
d1d0afff34
fix
...
fso: /lib/
usr/lib/security-misc/permission-hardening: line 19: /usr/bin/stat: Argument list too long
https://forums.whonix.org/t/kernel-hardening/7296/326
2019-12-20 04:48:02 -05:00
Patrick Schleizer
e74d2e4f94
output
2019-12-20 04:23:14 -05:00
Patrick Schleizer
eb86359033
refactoring
2019-12-20 04:20:05 -05:00
Patrick Schleizer
bb84fca184
refactoring
2019-12-20 04:08:46 -05:00
Patrick Schleizer
f92b414195
refactoring
2019-12-20 04:06:28 -05:00
Patrick Schleizer
4c44871e9d
comment
2019-12-20 04:02:05 -05:00
Patrick Schleizer
6876a2eaa8
comment
2019-12-20 04:01:40 -05:00
Patrick Schleizer
35c4fce61b
fix "dpkg-statoverride: warning: stripping trailing /"
2019-12-20 03:54:46 -05:00
Patrick Schleizer
9bd9012ab1
refactoring
2019-12-20 03:46:50 -05:00
Patrick Schleizer
55933f8876
refactoring
2019-12-20 03:43:36 -05:00
Patrick Schleizer
9e493a9f48
refactoring
2019-12-20 03:42:09 -05:00
Patrick Schleizer
b92a690c16
refactoring
2019-12-20 03:40:47 -05:00
Patrick Schleizer
98535e3a2b
refactoring
2019-12-20 03:39:25 -05:00
Patrick Schleizer
ecbba2fd61
refactoring
2019-12-20 03:38:39 -05:00
Patrick Schleizer
20b8a407ac
refactoring
2019-12-20 03:25:17 -05:00
Patrick Schleizer
6cd9eb44fb
refactoring
2019-12-20 03:24:07 -05:00
Patrick Schleizer
706dba104d
code simplification
2019-12-20 03:19:12 -05:00
Patrick Schleizer
01dd567f8b
fix, if fso has exactly the mode we want (not 3 instead of 4 string length), not need to reset it
2019-12-20 03:16:43 -05:00
Patrick Schleizer
4f65b0fc1e
refactoring
2019-12-20 03:13:27 -05:00
Patrick Schleizer
bfee6b60cb
comment
2019-12-20 03:11:11 -05:00
Patrick Schleizer
d64cdc1247
refactoring
2019-12-20 03:04:41 -05:00
Patrick Schleizer
7c5c65a6c1
comment
2019-12-20 03:04:13 -05:00
Patrick Schleizer
b31d8cd3fc
fix
2019-12-20 03:03:40 -05:00
Patrick Schleizer
c626290673
refactoring
2019-12-20 03:02:26 -05:00
Patrick Schleizer
d5ff1d6f28
refactoring
2019-12-20 03:00:39 -05:00
Patrick Schleizer
640ca1d24d
skip symlinks
...
https://forums.whonix.org/t/kernel-hardening/7296/323 ?
2019-12-20 02:57:57 -05:00
Patrick Schleizer
cc8f795799
comment
2019-12-20 02:47:04 -05:00
Patrick Schleizer
4e5b222a08
comment
2019-12-20 02:43:33 -05:00
Patrick Schleizer
fa895ee11e
refactoring
2019-12-20 02:40:42 -05:00
Patrick Schleizer
2c163bf439
check string length of permission variable
...
https://forums.whonix.org/t/kernel-hardening/7296/322
2019-12-20 02:39:53 -05:00
Patrick Schleizer
a89befd902
code simplification
2019-12-20 02:20:54 -05:00
Patrick Schleizer
72812da63f
comment
2019-12-20 02:16:32 -05:00
Patrick Schleizer
39a41cc27b
refactoring
2019-12-20 02:14:45 -05:00
Patrick Schleizer
2ed6452590
downgrade to info
2019-12-20 02:12:43 -05:00
Patrick Schleizer
a5e55dfcfc
quotes
2019-12-20 02:11:39 -05:00
Patrick Schleizer
3187cee4fb
output
2019-12-20 02:10:13 -05:00
Patrick Schleizer
5160b4c781
disable xtrace
2019-12-20 02:08:05 -05:00
Patrick Schleizer
27bfe95d25
add echo wrapper
2019-12-20 02:07:49 -05:00
Patrick Schleizer
a6988f3fb8
output
2019-12-20 02:06:31 -05:00
Patrick Schleizer
1819577b88
fix
2019-12-20 02:04:34 -05:00
Patrick Schleizer
278c60c5a0
exit non-zero if some line cannot be parsed
...
therefore make systemd notice this
therefore allow the sysadmin to notice this
2019-12-20 02:01:36 -05:00
Patrick Schleizer
66bcba8313
improve character whitelisting
2019-12-20 01:58:35 -05:00
Patrick Schleizer
8f14e808a9
send error messages to stderr
2019-12-20 01:32:49 -05:00
Patrick Schleizer
d8c9fac2e5
output
2019-12-20 01:32:08 -05:00
Patrick Schleizer
f19abaf627
refactoring
2019-12-20 01:31:37 -05:00
madaidan
3c2ca0257f
Support for removing SUID bits
2019-12-19 17:01:08 +00:00
Patrick Schleizer
4ca9fc5920
fix
2019-12-16 03:53:10 -05:00
Patrick Schleizer
f68efd53cf
remount /sys/kernel/security with nodev,nosuid[,noexec]
...
as suggested by @madaidan
http://forums.whonix.org/t/apparmor-for-complete-system-including-init-pid1-systemd-everything-full-system-mac-policy/8339/238
2019-12-16 03:52:09 -05:00
Patrick Schleizer
300f010fc2
increase priority of pam-abort-on-locked-password-security-misc
...
since it has its own user help output
so it shows before pam tally2 info
to avoid duplicate non-applicable help text
2019-12-12 09:29:00 -05:00
Patrick Schleizer
729fa26eca
use pam_acccess only for /etc/pam.d/login
...
remove "Allow members of group 'ssh' to login."
remove "+:ssh:ALL EXCEPT LOCAL"
2019-12-12 09:00:08 -05:00
Patrick Schleizer
b72eb30056
quotes
2019-12-09 02:32:05 -05:00
Patrick Schleizer
c258376b7e
use read (built-in) rather than awk (external)
2019-12-09 02:31:10 -05:00
Patrick Schleizer
02165201ab
read -r; refactoring
...
as per https://mywiki.wooledge.org/BashFAQ/001
2019-12-09 02:23:43 -05:00
Patrick Schleizer
7467252122
quotes
2019-12-09 02:22:16 -05:00
madaidan
61e19fa5f1
Create permission-hardening
2019-12-08 16:49:28 +00:00
Patrick Schleizer
c192644ee3
security-misc /usr/share/pam-configs/permission-lockdown-security-misc
is no longer required, removed.
...
Thereby fix apparmor issue.
> Dec 08 09:47:50 host audit[3232]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=3232 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
> Dec 08 09:47:50 host sudo[3232]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied
It is no longer required, because...
existing linux user accounts:
* Get permission lock down because security-misc `debian/security-misc.postinst` calls `/usr/lib/security-misc/permission-lockdown`.
new linux user accounts (created at first boot):
* security-misc `/usr/share/pam-configs/mkhomedir-security-misc` pam mkhomedir sets secure permissions using `umask=027`.
2019-12-08 05:21:35 -05:00
Patrick Schleizer
ac96708b24
improve usr/bin/hardening-enable
2019-12-08 04:01:11 -05:00
Patrick Schleizer
50ac03363f
output
2019-12-08 03:18:32 -05:00
Patrick Schleizer
c7c65fe4e7
higher priority usr/share/pam-configs/tally2-security-misc
...
so it can give info before pam stack gets aborted by other pam modules
2019-12-08 03:15:53 -05:00
Patrick Schleizer
3bd0b3f837
notify when attempting to use ssh but user is member of group ssh
2019-12-08 03:10:41 -05:00
Patrick Schleizer
1dbca1ea2d
add usr/bin/hardening-enable
2019-12-08 02:27:09 -05:00
Patrick Schleizer
19cc6d7555
pam description
2019-12-08 02:10:43 -05:00
Patrick Schleizer
b871421a54
usr/share/pam-configs/console-lockdown -> usr/share/pam-configs/console-lockdown-security-misc
2019-12-08 01:57:43 -05:00
madaidan
6846a94327
Check for more locations of System.map
2019-12-07 19:38:12 +00:00
madaidan
668b6420de
Remove hyphen
2019-12-07 14:15:02 +00:00
Patrick Schleizer
9ba84f34c6
comment
2019-12-07 06:51:59 -05:00
Patrick Schleizer
dc1dfc8c20
output
2019-12-07 06:51:16 -05:00
Patrick Schleizer
532a1525c2
comment
2019-12-07 06:26:55 -05:00
Patrick Schleizer
14aa6c5077
comment
2019-12-07 06:26:23 -05:00
Patrick Schleizer
8b3f5a555b
add console lockdown to pam info output
2019-12-07 06:25:45 -05:00
Patrick Schleizer
6479c883bf
Console Lockdown.
...
Allow members of group 'console' to use tty1 to tty7. Everyone else except
members of group 'console-unrestricted' are restricted from using console
using ancient, unpopular login methods such as using /bin/login over networks,
which might be exploitable. (CVE-2001-0797)
Not enabled by default in this package since this package does not know which
users shall be added to group 'console'.
In new Whonix builds, user 'user" will be added to group 'console' and
pam console-lockdown enabled by package anon-base-files.
/usr/share/pam-configs/console-lockdown
/etc/security/access-security-misc.conf
https://forums.whonix.org/t/etc-security-hardening/8592
2019-12-07 05:40:20 -05:00
Patrick Schleizer
5a4eda0d05
also support /usr/local/etc/remount-disable and /usr/local/etc/noexec
2019-12-07 01:53:33 -05:00
Patrick Schleizer
9b14f24d5e
refactoring
2019-12-06 11:17:32 -05:00
Patrick Schleizer
a6133f5912
output
2019-12-06 11:16:43 -05:00
Patrick Schleizer
c1ea35e2ef
output
2019-12-06 11:15:54 -05:00
Patrick Schleizer
4bec41379d
fix remount with noexec if /etc/noexec exists
2019-12-06 11:15:13 -05:00
Patrick Schleizer
470cad6e91
remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in)
...
https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707
2019-12-06 05:14:02 -05:00
Patrick Schleizer
aa5451c8cd
Lock user accounts after 50 rather than 100 failed login attempts.
...
https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/19
2019-11-25 01:39:53 -05:00
Patrick Schleizer
fe1f1b73a7
load jitterentropy_rng kernel module for better entropy collection
...
https://www.whonix.org/wiki/Dev/Entropy
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927972
https://forums.whonix.org/t/jitterentropy-rngd/7204
2019-11-23 11:20:32 +00:00
Patrick Schleizer
03e8023847
output
2019-11-22 14:11:30 -05:00
Patrick Schleizer
2e73c053b5
fix lintian warning
2019-11-09 12:55:00 +00:00
Patrick Schleizer
74293bcd2f
output
2019-11-05 01:59:25 -05:00
Patrick Schleizer
2b5b06b602
output
2019-11-05 01:59:19 -05:00
Patrick Schleizer
d6977becba
refactoring
2019-11-05 01:51:14 -05:00
Patrick Schleizer
daf0006795
comment
2019-11-05 01:50:27 -05:00
Patrick Schleizer
203d5cfa68
copyright
2019-10-31 11:19:44 -04:00
Patrick Schleizer
bce5274a15
quotes fix
2019-10-22 09:22:29 -04:00
Patrick Schleizer
e20b9e2133
better solution when using pkexec with --user: wrap sudo --user with lxqt-sudo
2019-10-22 09:08:18 -04:00
Patrick Schleizer
d4e02de43a
set SUDO_ASKPASS for pkexec wrapper when using sudo --askpass
2019-10-22 09:04:44 -04:00
Patrick Schleizer
1a65a91039
long rather than short option
2019-10-22 08:56:05 -04:00
Patrick Schleizer
b55913637b
silence output by mount/grep
2019-10-22 08:54:48 -04:00
Patrick Schleizer
a1154170c9
Call original pkexec in case there are no arguments.
2019-10-22 08:54:17 -04:00
Patrick Schleizer
1e4d0ea1d0
fix lintian warning
2019-10-21 09:55:05 +00:00
Patrick Schleizer
343d9cc916
fix
2019-10-21 09:53:55 +00:00
Patrick Schleizer
40707e70db
Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid.
...
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040
https://forums.whonix.org/t/cannot-use-pkexec/8129
Thanks to AnonymousUser for the bug report!
2019-10-21 05:46:49 -04:00
Patrick Schleizer
a5045dc26e
set -e
2019-10-17 06:18:32 -04:00
Patrick Schleizer
4aba027566
syntax check
2019-10-17 06:12:36 -04:00
Patrick Schleizer
8b9aa8841a
fix
2019-10-17 06:11:01 -04:00
Patrick Schleizer
cfbd77040a
set "shopt -s nullglob" to avoid failing when folder /etc/hide-hardware-info.d
...
does not exist or is empty
2019-10-17 06:10:29 -04:00
Patrick Schleizer
b05663c5f6
shuffle
...
https://forums.whonix.org/t/restrict-hardware-information-to-root/7329/80
2019-10-17 06:08:55 -04:00
Patrick Schleizer
28a440091d
code simplification
2019-10-17 06:08:16 -04:00
Patrick Schleizer
3c4e261c20
remove trailing spaces
2019-10-17 06:05:23 -04:00
Patrick Schleizer
8a42c5b023
Merge pull request #34 from madaidan/whitelist
...
Add a whitelist for /sys and /proc/cpuinfo
2019-10-17 09:59:12 +00:00
madaidan
61f742304d
return 0
2019-10-16 19:46:59 +00:00
madaidan
ffba0e0179
Elaborate
2019-10-16 19:04:15 +00:00
madaidan
f08c03ab21
Restrict sysfs/cpuinfo if the whitelist is disabled
2019-10-16 15:39:23 +00:00
madaidan
6b78dbcd07
Add way to whitelist things
2019-10-15 20:57:02 +00:00
Patrick Schleizer
d2bc3a2a08
chmod +x usr/lib/security-misc/hide-hardware-info
2019-10-05 09:14:41 +00:00
madaidan
87917d2f03
Add licensing
2019-10-03 21:38:07 +00:00
madaidan
9449f5017a
Create hide-hardware-info
2019-10-03 20:45:14 +00:00
Patrick Schleizer
75258843e9
copyright
2019-09-16 13:03:43 +00:00
Patrick Schleizer
8e39cea876
comment
2019-09-16 13:03:25 +00:00
Patrick Schleizer
bac462f211
comment
2019-09-16 13:03:02 +00:00
Patrick Schleizer
bec680d4f3
pam_tally2-info: fix, do nothing when started as user "user"
...
xscreensaver runs as user "user", therefore pam_tally2 cannot function.
xscreensaver has its own failed login counter.
as user "user"
/sbin/pam_tally2 -u user
pam_tally2: Error opening /var/log/tallylog for update: Permission denied
/sbin/pam_tally2: Authentication error
https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts
https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698
2019-09-16 12:30:23 +00:00
Patrick Schleizer
0ae5c5ff14
remove umask changes since these are causing issues are are not needed anymore
...
thanks to home folder permission lockdown
https://forums.whonix.org/t/change-default-umask/7416/45
2019-08-24 12:14:22 -04:00
Patrick Schleizer
0140df8668
virusforget
2019-08-19 08:43:28 +00:00
Patrick Schleizer
113ab42568
virusforget
2019-08-19 08:31:23 +00:00
Patrick Schleizer
416906d4f9
virusforget
2019-08-19 08:19:35 +00:00
Patrick Schleizer
2d867d9fee
virusforget
2019-08-19 08:10:18 +00:00
Patrick Schleizer
8e76e6b8b3
fix
2019-08-19 07:48:12 +00:00
Patrick Schleizer
3f068f77fe
keep cache folder outside of reach of user since even user can remove files
...
owned by root in its home folder
2019-08-19 07:47:20 +00:00
Patrick Schleizer
1fa1efa58e
credits
2019-08-19 07:22:09 +00:00
Patrick Schleizer
1e026a3ebb
initial development version of VirusForget
2019-08-18 22:50:44 +00:00
Patrick Schleizer
41b2819ec8
PAM: abort on locked password
...
to avoid needlessly bumping pam_tally2 counter
https://forums.whonix.org/t/restrict-root-access/7658/1
2019-08-17 10:33:47 +00:00
Patrick Schleizer
ed90d8b025
change default umask to 027
...
as per:
https://forums.whonix.org/t/change-default-umask/7416/47
2019-08-17 09:55:20 +00:00
Patrick Schleizer
17cfcb63b6
code simplification; report locked account earlier
2019-08-16 10:50:56 -04:00
Patrick Schleizer
ff9bc1d7ea
informational output during PAM:
...
* Show failed and remaining password attempts.
* Document unlock procedure if Linux user account got locked.
* Point out, that there is no password feedback for `su`.
* Explain locked (root) account if locked.
* /usr/share/pam-configs/tally2-security-misc
* /usr/lib/security-misc/pam_tally2-info
2019-08-15 13:37:28 +00:00
Patrick Schleizer
454e135822
pam_tally2.so even_deny_root
2019-08-15 07:33:41 +00:00
Patrick Schleizer
63b476221c
use requisite rather than required to avoid asking for password needlessly
...
if login will fail anyhow
2019-08-15 07:30:56 +00:00
Patrick Schleizer
8fdc77fed5
output to stdout
2019-08-14 10:33:23 +00:00
Patrick Schleizer
547ba91d79
sanity test
2019-08-14 09:45:30 +00:00
Patrick Schleizer
799acad724
skip, if not a folder
2019-08-14 09:39:43 +00:00
Patrick Schleizer
6321ff5ad5
refactoring
2019-08-14 09:38:44 +00:00
Patrick Schleizer
15094cab4f
avoid ' character in usr/share/pam-configs; in description
2019-08-14 09:36:30 +00:00
Patrick Schleizer
97d1945e61
no log needed, informative output to stdout instead
2019-08-14 09:32:58 +00:00
Patrick Schleizer
a085d46c56
change priories so "pam_umask.so usergroups umask=006" runs before pam_exec.so /usr/lib/security-misc/permission-lockdown
2019-08-14 09:31:58 +00:00
Patrick Schleizer
f8c828b69a
output
2019-08-14 05:19:02 -04:00
Patrick Schleizer
e5da6d9699
copyright
2019-08-14 05:17:54 -04:00
Patrick Schleizer
1595789d7c
comment
2019-08-14 05:17:16 -04:00
Patrick Schleizer
ce06fdf911
formatting
2019-08-14 05:15:53 -04:00
Patrick Schleizer
21489111d1
run permission lockdown during pam
...
https://forums.whonix.org/t/change-default-umask/7416
2019-08-14 08:34:03 +00:00
Patrick Schleizer
52df8dc014
optional pam_umask.so usergroups umask=006
2019-08-14 07:37:21 +00:00
Patrick Schleizer
dbea7d1511
add hook etc/kernel/postinst.d/30_remove-system-map to remove system.map
...
on kernel package upgrade;
self-document this package: during upgrade the following will be written
to stdout:
Setting up linux-image-4.19.0-5-amd64 (4.19.37-5+deb10u2) ...
/etc/kernel/postinst.d/30_remove-system-map:
removed '/boot/System.map-4.19.0-5-amd64
2019-08-14 07:22:14 +00:00
Patrick Schleizer
2f37a66fd0
description
2019-08-11 10:31:29 +00:00
Patrick Schleizer
e83ec79a25
enable usr/share/pam-configs/mkhomedir-security-misc by default
2019-08-11 10:30:51 +00:00
Patrick Schleizer
1eb806a03e
pam_mkhomedir.so umask=006
2019-08-11 10:29:49 +00:00
Patrick Schleizer
c50eb3c9b0
add usr/share/pam-configs/mkhomedir-security-misc based on
...
/usr/share/pam-configs/mkhomedir
2019-08-11 10:28:55 +00:00
Patrick Schleizer
a2fa18c381
pam_tally2.so deny=100
...
during testing, due to issues
d17e25272b
https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/12
2019-08-10 07:07:28 -04:00
Patrick Schleizer
d17e25272b
effectively (not directly) add "required pam_tally2.so debug" to /etc/pam.d/common-account
...
This is required because otherwise something like "sudo bash" would count as a
failed login for pam_tally2 even though it was successful.
https://bugzilla.redhat.com/show_bug.cgi?id=707660
https://forums.whonix.org/t/restrict-root-access/7658
2019-08-10 06:06:39 -04:00
Patrick Schleizer
0f896a9d8d
add onerr=fail audit to pam_tally2
2019-08-10 06:05:37 -04:00
Patrick Schleizer
e076470f68
renamed: usr/share/pam-configs/usergroups -> usr/share/pam-configs/usergroups-security-misc
2019-08-01 11:04:58 +00:00
Patrick Schleizer
830111e99a
split usr/share/pam-configs/security-misc
...
into
usr/share/pam-configs/tally2-security-misc
usr/share/pam-configs/wheel-security-misc
2019-08-01 11:04:22 +00:00
Patrick Schleizer
89d32402b2
fix, do not use "," inside /usr/share/pam-configs files
2019-07-31 14:52:29 -04:00
Patrick Schleizer
cf90668756
lock user accounts after 5 failed authentication attempts using pam_tally2
2019-07-31 03:25:02 -04:00
Patrick Schleizer
3e29761560
debug at the end
2019-07-31 03:17:06 -04:00
Patrick Schleizer
5cdb3edb32
usr/share/pam-configs/wheel -> usr/share/pam-configs/security-misc
2019-07-31 03:16:41 -04:00
Patrick Schleizer
3f9437f1ec
Revert "set back to default group "root" rather than group "sudo" membership required to use su"
...
This reverts commit 2f276cdb10
.
2019-07-17 14:25:19 -04:00
Patrick Schleizer
2f276cdb10
set back to default group "root" rather than group "sudo" membership required to use su
...
since root login will be locked by default anyhow
Thanks to @madaidan for providing the rationale!
https://forums.whonix.org/t/restrict-root-access/7658/42
2019-07-15 08:44:28 -04:00
Patrick Schleizer
6d1e8ac9a4
description
2019-07-14 11:16:49 +00:00
Patrick Schleizer
ffb61f43ea
fix, add 'group=sudo' and 'debug' for debugging
...
https://forums.whonix.org/t/restrict-root-access/7658
2019-07-14 11:11:59 +00:00
Patrick Schleizer
6af2d7facb
copyright
2019-07-13 18:12:25 +00:00
Patrick Schleizer
75f0ca565d
set -e
2019-07-13 18:12:04 +00:00
Patrick Schleizer
c389e13e1a
use pre.bsh
2019-07-13 17:59:49 +00:00
Patrick Schleizer
e9eb38b5db
formatting
2019-07-13 15:04:09 +00:00