Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-12-27 10:59:27 -05:00
Code Issues Packages Projects Releases Wiki Activity
706 Commits 2 Branches 291 Tags 8.2 MiB
3187cee4fb
Commit Graph

161 Commits

Author SHA1 Message Date
Patrick Schleizer
3187cee4fb
output 2019-12-20 02:10:13 -05:00
Patrick Schleizer
5160b4c781
disable xtrace 2019-12-20 02:08:05 -05:00
Patrick Schleizer
27bfe95d25
add echo wrapper 2019-12-20 02:07:49 -05:00
Patrick Schleizer
a6988f3fb8
output 2019-12-20 02:06:31 -05:00
Patrick Schleizer
1819577b88
fix 2019-12-20 02:04:34 -05:00
Patrick Schleizer
278c60c5a0
exit non-zero if some line cannot be parsed 
therefore make systemd notice this

therefore allow the sysadmin to notice this
 2019-12-20 02:01:36 -05:00
Patrick Schleizer
66bcba8313
improve character whitelisting 2019-12-20 01:58:35 -05:00
Patrick Schleizer
8f14e808a9
send error messages to stderr 2019-12-20 01:32:49 -05:00
Patrick Schleizer
d8c9fac2e5
output 2019-12-20 01:32:08 -05:00
Patrick Schleizer
f19abaf627
refactoring 2019-12-20 01:31:37 -05:00
madaidan
3c2ca0257f
Support for removing SUID bits 2019-12-19 17:01:08 +00:00
Patrick Schleizer
4ca9fc5920
fix 2019-12-16 03:53:10 -05:00
Patrick Schleizer
f68efd53cf
remount /sys/kernel/security with nodev,nosuid[,noexec] 
as suggested by @madaidan

http://forums.whonix.org/t/apparmor-for-complete-system-including-init-pid1-systemd-everything-full-system-mac-policy/8339/238
 2019-12-16 03:52:09 -05:00
Patrick Schleizer
300f010fc2
increase priority of pam-abort-on-locked-password-security-misc 
since it has its own user help output

so it shows before pam tally2 info

to avoid duplicate non-applicable help text
 2019-12-12 09:29:00 -05:00
Patrick Schleizer
729fa26eca
use pam_acccess only for /etc/pam.d/login 
remove "Allow members of group 'ssh' to login."
remove "+:ssh:ALL EXCEPT LOCAL"
 2019-12-12 09:00:08 -05:00
Patrick Schleizer
b72eb30056
quotes 2019-12-09 02:32:05 -05:00
Patrick Schleizer
c258376b7e
use read (built-in) rather than awk (external) 2019-12-09 02:31:10 -05:00
Patrick Schleizer
02165201ab
read -r; refactoring 
as per https://mywiki.wooledge.org/BashFAQ/001
 2019-12-09 02:23:43 -05:00
Patrick Schleizer
7467252122
quotes 2019-12-09 02:22:16 -05:00
madaidan
61e19fa5f1
Create permission-hardening 2019-12-08 16:49:28 +00:00
Patrick Schleizer
c192644ee3
security-misc /usr/share/pam-configs/permission-lockdown-security-misc is no longer required, removed. 
Thereby fix apparmor issue.

> Dec 08 09:47:50 host audit[3232]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=3232 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
> Dec 08 09:47:50 host sudo[3232]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied

It is no longer required, because...

existing linux user accounts:

* Get permission lock down because security-misc `debian/security-misc.postinst` calls `/usr/lib/security-misc/permission-lockdown`.

new linux user accounts (created at first boot):

* security-misc `/usr/share/pam-configs/mkhomedir-security-misc` pam mkhomedir sets secure permissions using `umask=027`.
 2019-12-08 05:21:35 -05:00
Patrick Schleizer
ac96708b24
improve usr/bin/hardening-enable 2019-12-08 04:01:11 -05:00
Patrick Schleizer
50ac03363f
output 2019-12-08 03:18:32 -05:00
Patrick Schleizer
c7c65fe4e7
higher priority usr/share/pam-configs/tally2-security-misc 
so it can give info before pam stack gets aborted by other pam modules
 2019-12-08 03:15:53 -05:00
Patrick Schleizer
3bd0b3f837
notify when attempting to use ssh but user is member of group ssh 2019-12-08 03:10:41 -05:00
Patrick Schleizer
1dbca1ea2d
add usr/bin/hardening-enable 2019-12-08 02:27:09 -05:00
Patrick Schleizer
19cc6d7555
pam description 2019-12-08 02:10:43 -05:00
Patrick Schleizer
b871421a54
usr/share/pam-configs/console-lockdown -> usr/share/pam-configs/console-lockdown-security-misc 2019-12-08 01:57:43 -05:00
madaidan
6846a94327
Check for more locations of System.map 2019-12-07 19:38:12 +00:00
madaidan
668b6420de
Remove hyphen 2019-12-07 14:15:02 +00:00
Patrick Schleizer
9ba84f34c6
comment 2019-12-07 06:51:59 -05:00
Patrick Schleizer
dc1dfc8c20
output 2019-12-07 06:51:16 -05:00
Patrick Schleizer
532a1525c2
comment 2019-12-07 06:26:55 -05:00
Patrick Schleizer
14aa6c5077
comment 2019-12-07 06:26:23 -05:00
Patrick Schleizer
8b3f5a555b
add console lockdown to pam info output 2019-12-07 06:25:45 -05:00
Patrick Schleizer
6479c883bf
Console Lockdown. 
Allow members of group 'console' to use tty1 to tty7. Everyone else except
members of group 'console-unrestricted' are restricted from using console
using ancient, unpopular login methods such as using /bin/login over networks,
which might be exploitable. (CVE-2001-0797)

Not enabled by default in this package since this package does not know which
users shall be added to group 'console'.

In new Whonix builds, user 'user" will be added to group 'console' and
pam console-lockdown enabled by package anon-base-files.

/usr/share/pam-configs/console-lockdown

/etc/security/access-security-misc.conf

https://forums.whonix.org/t/etc-security-hardening/8592
 2019-12-07 05:40:20 -05:00
Patrick Schleizer
5a4eda0d05
also support /usr/local/etc/remount-disable and /usr/local/etc/noexec 2019-12-07 01:53:33 -05:00
Patrick Schleizer
9b14f24d5e
refactoring 2019-12-06 11:17:32 -05:00
Patrick Schleizer
a6133f5912
output 2019-12-06 11:16:43 -05:00
Patrick Schleizer
c1ea35e2ef
output 2019-12-06 11:15:54 -05:00
Patrick Schleizer
4bec41379d
fix remount with noexec if /etc/noexec exists 2019-12-06 11:15:13 -05:00
Patrick Schleizer
470cad6e91
remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in) 
https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707
 2019-12-06 05:14:02 -05:00
Patrick Schleizer
aa5451c8cd
Lock user accounts after 50 rather than 100 failed login attempts. 
https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/19
 2019-11-25 01:39:53 -05:00
Patrick Schleizer
fe1f1b73a7
load jitterentropy_rng kernel module for better entropy collection 
https://www.whonix.org/wiki/Dev/Entropy

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927972

https://forums.whonix.org/t/jitterentropy-rngd/7204
 2019-11-23 11:20:32 +00:00
Patrick Schleizer
03e8023847
output 2019-11-22 14:11:30 -05:00
Patrick Schleizer
2e73c053b5
fix lintian warning 2019-11-09 12:55:00 +00:00
Patrick Schleizer
74293bcd2f
output 2019-11-05 01:59:25 -05:00
Patrick Schleizer
2b5b06b602
output 2019-11-05 01:59:19 -05:00
Patrick Schleizer
d6977becba
refactoring 2019-11-05 01:51:14 -05:00
Patrick Schleizer
daf0006795
comment 2019-11-05 01:50:27 -05:00