Commit Graph

330 Commits

Author SHA1 Message Date
Patrick Schleizer
b3458cc6ee
fix checking existing entries to avoid needless calls to dpkg-statoverride 2019-12-20 10:45:59 -05:00
Patrick Schleizer
370f3c5e54
comment 2019-12-20 10:35:05 -05:00
Patrick Schleizer
133d09f298
output 2019-12-20 10:33:16 -05:00
Patrick Schleizer
1ffa8e197e
speed up setuid removal by using find with '-perm /u=s,g=s'
https://forums.whonix.org/t/permission-hardening/8655/19
2019-12-20 10:31:26 -05:00
Patrick Schleizer
4cfdf2c65b
fix, re-enforce nosuid even if changed on the disk 2019-12-20 10:21:27 -05:00
Patrick Schleizer
e36868e675
output 2019-12-20 10:02:46 -05:00
Patrick Schleizer
50b8f65490
add sanity test: count if we really processed all files 2019-12-20 09:59:28 -05:00
Patrick Schleizer
55faa7b997
fix missing processing files bug
https://forums.whonix.org/t/permission-hardening/8655/16
2019-12-20 09:43:23 -05:00
Patrick Schleizer
fbe2479f48
count processed file system objects
to be able to verify if any were "forgotten"
2019-12-20 08:54:56 -05:00
Patrick Schleizer
195ea522f5
fix 2019-12-20 08:52:14 -05:00
Patrick Schleizer
6f8231be70
debugging 2019-12-20 08:51:55 -05:00
Patrick Schleizer
ed50f98010
output 2019-12-20 08:47:22 -05:00
Patrick Schleizer
6d30e3b4a2
do not remove suid from whitelisted binaries ever
https://forums.whonix.org/t/permission-hardening/8655/13
2019-12-20 08:13:23 -05:00
Patrick Schleizer
d5f1bd8dd2
fix mode sanity check
no longer use seq due to issue

https://forums.whonix.org/t/permission-hardening/8655/13
2019-12-20 08:02:30 -05:00
Patrick Schleizer
0ae3e689b5
comment 2019-12-20 06:35:02 -05:00
Patrick Schleizer
050f4d8b94
comment 2019-12-20 06:34:37 -05:00
Patrick Schleizer
36043fe5cc
comment 2019-12-20 06:33:41 -05:00
Patrick Schleizer
fb4254547b
comment 2019-12-20 06:32:04 -05:00
Patrick Schleizer
cca0908d9a
fix 2019-12-20 06:11:38 -05:00
Patrick Schleizer
e254b8b52d
fix 2019-12-20 06:09:17 -05:00
Patrick Schleizer
7f8b3c76de
output 2019-12-20 06:02:17 -05:00
Patrick Schleizer
071c64dc41
enable 'set -e' 2019-12-20 06:01:49 -05:00
Patrick Schleizer
b97c66707c
minor 2019-12-20 05:59:05 -05:00
Patrick Schleizer
17b4f12276
output 2019-12-20 05:58:42 -05:00
Patrick Schleizer
918cbb4e25
output 2019-12-20 05:51:25 -05:00
Patrick Schleizer
c8cf09a4cb
output 2019-12-20 05:50:16 -05:00
Patrick Schleizer
46466c12ad
parse drop-in config folder rather than only one config file 2019-12-20 05:49:11 -05:00
Patrick Schleizer
66fd31189d
improve output if set-user-id / set-group-id is set 2019-12-20 05:37:33 -05:00
Patrick Schleizer
6dd6530fa5
remove hardening-enable
please invent package security-paranoid instead

https://forums.whonix.org/t/security-hardening-tool-usr-bin-hardening-enable-by-security-misc/8609
2019-12-20 05:32:26 -05:00
Patrick Schleizer
af0f074987
remount /lib with nosuid,nodev
https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/22
2019-12-20 05:27:11 -05:00
Patrick Schleizer
a135ae9400
use must manually enable permission-hardening.service
until development finished
2019-12-20 05:22:59 -05:00
Patrick Schleizer
fa6f1e1568
output 2019-12-20 05:19:39 -05:00
Patrick Schleizer
a26cb94bfd
globstar no longer required 2019-12-20 04:49:21 -05:00
Patrick Schleizer
c66e9abe18
comment 2019-12-20 04:48:57 -05:00
Patrick Schleizer
d1d0afff34
fix
fso: /lib/
usr/lib/security-misc/permission-hardening: line 19: /usr/bin/stat: Argument list too long

https://forums.whonix.org/t/kernel-hardening/7296/326
2019-12-20 04:48:02 -05:00
Patrick Schleizer
e74d2e4f94
output 2019-12-20 04:23:14 -05:00
Patrick Schleizer
eb86359033
refactoring 2019-12-20 04:20:05 -05:00
Patrick Schleizer
bb84fca184
refactoring 2019-12-20 04:08:46 -05:00
Patrick Schleizer
f92b414195
refactoring 2019-12-20 04:06:28 -05:00
Patrick Schleizer
4c44871e9d
comment 2019-12-20 04:02:05 -05:00
Patrick Schleizer
6876a2eaa8
comment 2019-12-20 04:01:40 -05:00
Patrick Schleizer
35c4fce61b
fix "dpkg-statoverride: warning: stripping trailing /" 2019-12-20 03:54:46 -05:00
Patrick Schleizer
9bd9012ab1
refactoring 2019-12-20 03:46:50 -05:00
Patrick Schleizer
55933f8876
refactoring 2019-12-20 03:43:36 -05:00
Patrick Schleizer
9e493a9f48
refactoring 2019-12-20 03:42:09 -05:00
Patrick Schleizer
b92a690c16
refactoring 2019-12-20 03:40:47 -05:00
Patrick Schleizer
98535e3a2b
refactoring 2019-12-20 03:39:25 -05:00
Patrick Schleizer
ecbba2fd61
refactoring 2019-12-20 03:38:39 -05:00
Patrick Schleizer
20b8a407ac
refactoring 2019-12-20 03:25:17 -05:00
Patrick Schleizer
6cd9eb44fb
refactoring 2019-12-20 03:24:07 -05:00
Patrick Schleizer
706dba104d
code simplification 2019-12-20 03:19:12 -05:00
Patrick Schleizer
01dd567f8b
fix, if fso has exactly the mode we want (not 3 instead of 4 string length), not need to reset it 2019-12-20 03:16:43 -05:00
Patrick Schleizer
4f65b0fc1e
refactoring 2019-12-20 03:13:27 -05:00
Patrick Schleizer
bfee6b60cb
comment 2019-12-20 03:11:11 -05:00
Patrick Schleizer
d64cdc1247
refactoring 2019-12-20 03:04:41 -05:00
Patrick Schleizer
7c5c65a6c1
comment 2019-12-20 03:04:13 -05:00
Patrick Schleizer
b31d8cd3fc
fix 2019-12-20 03:03:40 -05:00
Patrick Schleizer
c626290673
refactoring 2019-12-20 03:02:26 -05:00
Patrick Schleizer
d5ff1d6f28
refactoring 2019-12-20 03:00:39 -05:00
Patrick Schleizer
640ca1d24d
skip symlinks
https://forums.whonix.org/t/kernel-hardening/7296/323?
2019-12-20 02:57:57 -05:00
Patrick Schleizer
cc8f795799
comment 2019-12-20 02:47:04 -05:00
Patrick Schleizer
4e5b222a08
comment 2019-12-20 02:43:33 -05:00
Patrick Schleizer
fa895ee11e
refactoring 2019-12-20 02:40:42 -05:00
Patrick Schleizer
2c163bf439
check string length of permission variable
https://forums.whonix.org/t/kernel-hardening/7296/322
2019-12-20 02:39:53 -05:00
Patrick Schleizer
a89befd902
code simplification 2019-12-20 02:20:54 -05:00
Patrick Schleizer
72812da63f
comment 2019-12-20 02:16:32 -05:00
Patrick Schleizer
39a41cc27b
refactoring 2019-12-20 02:14:45 -05:00
Patrick Schleizer
2ed6452590
downgrade to info 2019-12-20 02:12:43 -05:00
Patrick Schleizer
a5e55dfcfc
quotes 2019-12-20 02:11:39 -05:00
Patrick Schleizer
3187cee4fb
output 2019-12-20 02:10:13 -05:00
Patrick Schleizer
5160b4c781
disable xtrace 2019-12-20 02:08:05 -05:00
Patrick Schleizer
27bfe95d25
add echo wrapper 2019-12-20 02:07:49 -05:00
Patrick Schleizer
a6988f3fb8
output 2019-12-20 02:06:31 -05:00
Patrick Schleizer
1819577b88
fix 2019-12-20 02:04:34 -05:00
Patrick Schleizer
278c60c5a0
exit non-zero if some line cannot be parsed
therefore make systemd notice this

therefore allow the sysadmin to notice this
2019-12-20 02:01:36 -05:00
Patrick Schleizer
66bcba8313
improve character whitelisting 2019-12-20 01:58:35 -05:00
Patrick Schleizer
8f14e808a9
send error messages to stderr 2019-12-20 01:32:49 -05:00
Patrick Schleizer
d8c9fac2e5
output 2019-12-20 01:32:08 -05:00
Patrick Schleizer
f19abaf627
refactoring 2019-12-20 01:31:37 -05:00
madaidan
3c2ca0257f
Support for removing SUID bits 2019-12-19 17:01:08 +00:00
Patrick Schleizer
4ca9fc5920
fix 2019-12-16 03:53:10 -05:00
Patrick Schleizer
f68efd53cf
remount /sys/kernel/security with nodev,nosuid[,noexec]
as suggested by @madaidan

http://forums.whonix.org/t/apparmor-for-complete-system-including-init-pid1-systemd-everything-full-system-mac-policy/8339/238
2019-12-16 03:52:09 -05:00
Patrick Schleizer
300f010fc2
increase priority of pam-abort-on-locked-password-security-misc
since it has its own user help output

so it shows before pam tally2 info

to avoid duplicate non-applicable help text
2019-12-12 09:29:00 -05:00
Patrick Schleizer
729fa26eca
use pam_acccess only for /etc/pam.d/login
remove "Allow members of group 'ssh' to login."
remove "+:ssh:ALL EXCEPT LOCAL"
2019-12-12 09:00:08 -05:00
Patrick Schleizer
b72eb30056
quotes 2019-12-09 02:32:05 -05:00
Patrick Schleizer
c258376b7e
use read (built-in) rather than awk (external) 2019-12-09 02:31:10 -05:00
Patrick Schleizer
02165201ab
read -r; refactoring
as per https://mywiki.wooledge.org/BashFAQ/001
2019-12-09 02:23:43 -05:00
Patrick Schleizer
7467252122
quotes 2019-12-09 02:22:16 -05:00
madaidan
61e19fa5f1
Create permission-hardening 2019-12-08 16:49:28 +00:00
Patrick Schleizer
c192644ee3
security-misc /usr/share/pam-configs/permission-lockdown-security-misc is no longer required, removed.
Thereby fix apparmor issue.

> Dec 08 09:47:50 host audit[3232]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=3232 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
> Dec 08 09:47:50 host sudo[3232]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied

It is no longer required, because...

existing linux user accounts:

* Get permission lock down because security-misc `debian/security-misc.postinst` calls `/usr/lib/security-misc/permission-lockdown`.

new linux user accounts (created at first boot):

* security-misc `/usr/share/pam-configs/mkhomedir-security-misc` pam mkhomedir sets secure permissions using `umask=027`.
2019-12-08 05:21:35 -05:00
Patrick Schleizer
ac96708b24
improve usr/bin/hardening-enable 2019-12-08 04:01:11 -05:00
Patrick Schleizer
50ac03363f
output 2019-12-08 03:18:32 -05:00
Patrick Schleizer
c7c65fe4e7
higher priority usr/share/pam-configs/tally2-security-misc
so it can give info before pam stack gets aborted by other pam modules
2019-12-08 03:15:53 -05:00
Patrick Schleizer
3bd0b3f837
notify when attempting to use ssh but user is member of group ssh 2019-12-08 03:10:41 -05:00
Patrick Schleizer
1dbca1ea2d
add usr/bin/hardening-enable 2019-12-08 02:27:09 -05:00
Patrick Schleizer
19cc6d7555
pam description 2019-12-08 02:10:43 -05:00
Patrick Schleizer
b871421a54
usr/share/pam-configs/console-lockdown -> usr/share/pam-configs/console-lockdown-security-misc 2019-12-08 01:57:43 -05:00
madaidan
6846a94327
Check for more locations of System.map 2019-12-07 19:38:12 +00:00
madaidan
668b6420de
Remove hyphen 2019-12-07 14:15:02 +00:00
Patrick Schleizer
9ba84f34c6
comment 2019-12-07 06:51:59 -05:00
Patrick Schleizer
dc1dfc8c20
output 2019-12-07 06:51:16 -05:00
Patrick Schleizer
532a1525c2
comment 2019-12-07 06:26:55 -05:00
Patrick Schleizer
14aa6c5077
comment 2019-12-07 06:26:23 -05:00
Patrick Schleizer
8b3f5a555b
add console lockdown to pam info output 2019-12-07 06:25:45 -05:00
Patrick Schleizer
6479c883bf
Console Lockdown.
Allow members of group 'console' to use tty1 to tty7. Everyone else except
members of group 'console-unrestricted' are restricted from using console
using ancient, unpopular login methods such as using /bin/login over networks,
which might be exploitable. (CVE-2001-0797)

Not enabled by default in this package since this package does not know which
users shall be added to group 'console'.

In new Whonix builds, user 'user" will be added to group 'console' and
pam console-lockdown enabled by package anon-base-files.

/usr/share/pam-configs/console-lockdown

/etc/security/access-security-misc.conf

https://forums.whonix.org/t/etc-security-hardening/8592
2019-12-07 05:40:20 -05:00
Patrick Schleizer
5a4eda0d05
also support /usr/local/etc/remount-disable and /usr/local/etc/noexec 2019-12-07 01:53:33 -05:00
Patrick Schleizer
9b14f24d5e
refactoring 2019-12-06 11:17:32 -05:00
Patrick Schleizer
a6133f5912
output 2019-12-06 11:16:43 -05:00
Patrick Schleizer
c1ea35e2ef
output 2019-12-06 11:15:54 -05:00
Patrick Schleizer
4bec41379d
fix remount with noexec if /etc/noexec exists 2019-12-06 11:15:13 -05:00
Patrick Schleizer
470cad6e91
remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in)
https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707
2019-12-06 05:14:02 -05:00
Patrick Schleizer
aa5451c8cd
Lock user accounts after 50 rather than 100 failed login attempts.
https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/19
2019-11-25 01:39:53 -05:00
Patrick Schleizer
fe1f1b73a7
load jitterentropy_rng kernel module for better entropy collection
https://www.whonix.org/wiki/Dev/Entropy

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927972

https://forums.whonix.org/t/jitterentropy-rngd/7204
2019-11-23 11:20:32 +00:00
Patrick Schleizer
03e8023847
output 2019-11-22 14:11:30 -05:00
Patrick Schleizer
2e73c053b5
fix lintian warning 2019-11-09 12:55:00 +00:00
Patrick Schleizer
74293bcd2f
output 2019-11-05 01:59:25 -05:00
Patrick Schleizer
2b5b06b602
output 2019-11-05 01:59:19 -05:00
Patrick Schleizer
d6977becba
refactoring 2019-11-05 01:51:14 -05:00
Patrick Schleizer
daf0006795
comment 2019-11-05 01:50:27 -05:00
Patrick Schleizer
203d5cfa68
copyright 2019-10-31 11:19:44 -04:00
Patrick Schleizer
bce5274a15
quotes fix 2019-10-22 09:22:29 -04:00
Patrick Schleizer
e20b9e2133
better solution when using pkexec with --user: wrap sudo --user with lxqt-sudo 2019-10-22 09:08:18 -04:00
Patrick Schleizer
d4e02de43a
set SUDO_ASKPASS for pkexec wrapper when using sudo --askpass 2019-10-22 09:04:44 -04:00
Patrick Schleizer
1a65a91039
long rather than short option 2019-10-22 08:56:05 -04:00
Patrick Schleizer
b55913637b
silence output by mount/grep 2019-10-22 08:54:48 -04:00
Patrick Schleizer
a1154170c9
Call original pkexec in case there are no arguments. 2019-10-22 08:54:17 -04:00
Patrick Schleizer
1e4d0ea1d0
fix lintian warning 2019-10-21 09:55:05 +00:00
Patrick Schleizer
343d9cc916
fix 2019-10-21 09:53:55 +00:00
Patrick Schleizer
40707e70db
Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040

https://forums.whonix.org/t/cannot-use-pkexec/8129

Thanks to AnonymousUser for the bug report!
2019-10-21 05:46:49 -04:00
Patrick Schleizer
a5045dc26e
set -e 2019-10-17 06:18:32 -04:00
Patrick Schleizer
4aba027566
syntax check 2019-10-17 06:12:36 -04:00
Patrick Schleizer
8b9aa8841a
fix 2019-10-17 06:11:01 -04:00
Patrick Schleizer
cfbd77040a
set "shopt -s nullglob" to avoid failing when folder /etc/hide-hardware-info.d
does not exist or is empty
2019-10-17 06:10:29 -04:00
Patrick Schleizer
b05663c5f6
shuffle
https://forums.whonix.org/t/restrict-hardware-information-to-root/7329/80
2019-10-17 06:08:55 -04:00
Patrick Schleizer
28a440091d
code simplification 2019-10-17 06:08:16 -04:00
Patrick Schleizer
3c4e261c20
remove trailing spaces 2019-10-17 06:05:23 -04:00
Patrick Schleizer
8a42c5b023
Merge pull request #34 from madaidan/whitelist
Add a whitelist for /sys and /proc/cpuinfo
2019-10-17 09:59:12 +00:00
madaidan
61f742304d
return 0 2019-10-16 19:46:59 +00:00
madaidan
ffba0e0179
Elaborate 2019-10-16 19:04:15 +00:00
madaidan
f08c03ab21
Restrict sysfs/cpuinfo if the whitelist is disabled 2019-10-16 15:39:23 +00:00
madaidan
6b78dbcd07
Add way to whitelist things 2019-10-15 20:57:02 +00:00
Patrick Schleizer
d2bc3a2a08
chmod +x usr/lib/security-misc/hide-hardware-info 2019-10-05 09:14:41 +00:00
madaidan
87917d2f03
Add licensing 2019-10-03 21:38:07 +00:00
madaidan
9449f5017a
Create hide-hardware-info 2019-10-03 20:45:14 +00:00
Patrick Schleizer
75258843e9
copyright 2019-09-16 13:03:43 +00:00
Patrick Schleizer
8e39cea876
comment 2019-09-16 13:03:25 +00:00
Patrick Schleizer
bac462f211
comment 2019-09-16 13:03:02 +00:00
Patrick Schleizer
bec680d4f3
pam_tally2-info: fix, do nothing when started as user "user"
xscreensaver runs as user "user", therefore pam_tally2 cannot function.
xscreensaver has its own failed login counter.

as user "user"
/sbin/pam_tally2 -u user
pam_tally2: Error opening /var/log/tallylog for update: Permission denied
/sbin/pam_tally2: Authentication error

https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts

https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698
2019-09-16 12:30:23 +00:00
Patrick Schleizer
0ae5c5ff14
remove umask changes since these are causing issues are are not needed anymore
thanks to home folder permission lockdown

https://forums.whonix.org/t/change-default-umask/7416/45
2019-08-24 12:14:22 -04:00
Patrick Schleizer
0140df8668
virusforget 2019-08-19 08:43:28 +00:00