Commit graph

182 commits

Author SHA1 Message Date
Patrick Schleizer
353b6e83c5
test that wc is functional
https://github.com/Kicksecure/security-misc/pull/305#issuecomment-2892378246
2025-05-21 07:20:13 -04:00
Patrick Schleizer
5930e27052
pam-info: improve error handling
https://github.com/Kicksecure/security-misc/pull/305#issuecomment-2892378246
2025-05-21 07:05:25 -04:00
Patrick Schleizer
5c981e0891
pam-info: fix, consistently write errors and warnings to stderr 2025-05-21 06:55:09 -04:00
Patrick Schleizer
405880e63b
handle case of non-existence of /proc/cmdline 2025-05-18 06:44:42 -04:00
Patrick Schleizer
88235cc97b
refactoring 2025-05-18 06:44:04 -04:00
Patrick Schleizer
601ea77b00
end-of-options 2025-05-18 06:42:39 -04:00
Patrick Schleizer
d8feca1276
printf 2025-05-18 06:41:41 -04:00
Patrick Schleizer
7f2ba0980d
refactoring 2025-05-18 06:40:50 -04:00
DMHalford
91a76db66b
Prevent erroneous "Login blocked after [negative number] attempts" errors
For root, faillock appears to always* return an empty string (i.e. no table headers are present), yielding a zero-initialized pam_faillock_output_count and thus resulting in the calculation of a negative failed_login_counter value.

This can cause erroneous errors of the form "ERROR: Login blocked after [negative number] attempts" during sudo-ing and screen unlocking.

This commit modifies the initialization of failed_login_counter such that it cannot be negative and prevents the display of these incorrect warnings.

* Only rudimentary local tests were conducted
2025-05-15 15:42:50 -04:00
DMHalford
6c3be9ced0
Prevent erroneous "Login blocked after [negative number] attempts" errors
For root, faillock appears to always* return an empty string (i.e. no table headers are present), yielding a zero-initialized pam_faillock_output_count and thus resulting in the calculation of a negative failed_login_counter value.

This can cause erroneous errors of the form "ERROR: Login blocked after [negative number] attempts" during sudo-ing and screen unlocking.

This commit modifies the initialization of failed_login_counter such that it cannot be negative and prevents the display of these incorrect warnings.

* Only rudimentary tests were conducted
2025-05-15 15:06:10 -04:00
Patrick Schleizer
06e1e44b00
comments 2025-04-25 05:51:21 -04:00
Patrick Schleizer
9948ae114d
fix 2025-04-19 13:24:17 -04:00
Patrick Schleizer
4aca622706
fix 2025-04-19 13:23:26 -04:00
Patrick Schleizer
701f4a0e88
output 2025-04-19 13:20:04 -04:00
Patrick Schleizer
a670c0d873
comment 2025-04-19 13:18:23 -04:00
Patrick Schleizer
4799f3ce02
make /usr/libexec/security-misc/apt-get-update more reliable 2025-04-19 13:17:28 -04:00
Patrick Schleizer
c4f0e1d16f
refactoring 2025-04-19 12:57:14 -04:00
Patrick Schleizer
81634930fa
refactoring 2025-04-19 12:55:32 -04:00
Patrick Schleizer
90330a1ec9
refactoring 2025-04-19 12:49:18 -04:00
Patrick Schleizer
ce2c9a21a3
/usr/libexec/security-misc/apt-get-update: use /run/helper-scripts folder for pid file instead of $TMP
to avoid permission issues
2025-04-19 12:48:19 -04:00
Patrick Schleizer
96ff7c8dc6
refactoring 2025-04-19 12:45:06 -04:00
Patrick Schleizer
5a37790e6b
cleanup 2025-04-19 12:43:15 -04:00
Aaron Rainbolt
74ca63d12c
Mass-change "PERSISTENCE mode USERNAME" to "PERSISTENCE Mode - USERNAME Session" 2025-04-09 21:01:41 -05:00
Patrick Schleizer
39f4f5b607
comments 2025-04-08 06:53:08 -04:00
Patrick Schleizer
173606891a
output 2025-04-08 06:48:29 -04:00
Patrick Schleizer
9f5e522b83
LC_ALL=C 2025-01-30 07:53:04 -05:00
Patrick Schleizer
7c150d116d
LANG=C str_replace: no longer requires LANG=C, therefore removed 2025-01-30 07:45:08 -05:00
Patrick Schleizer
d4767b7520
fix: apply PAM wheal only to su PAM service 2025-01-06 04:24:44 -05:00
Patrick Schleizer
33114f771a
copyright 2024-12-31 13:26:21 -05:00
Aaron Rainbolt
6602fb102d
Adjust pam-info messaging for sysmaint mode 2024-12-24 20:52:34 -06:00
Aaron Rainbolt
2f3a2bce77
Add warning about using non-sysmaint accounts in sysmaint mode 2024-12-20 11:04:22 -06:00
Patrick Schleizer
175b442d5b
use long option name 2024-12-19 05:56:50 -05:00
Patrick Schleizer
c99021bb0c
Merge remote-tracking branch 'ArrayBolt3/arraybolt3/sysmaint' 2024-12-19 05:56:01 -05:00
Patrick Schleizer
daf0a0900b
fix apt-get-update for non-English locale
https://forums.kicksecure.com/t/systemcheck-reports-warning-debian-package-update-check-result-apt-get-reports-that-packages-can-be-updated-but-system-is-already-fully-upgraded/785
2024-12-19 04:39:34 -05:00
Aaron Rainbolt
9d69cd1912
Add sysmaint account lock detection 2024-12-18 21:34:37 -06:00
Patrick Schleizer
98d7c245ee
"|| exit 1" no longer required thanks to errexit 2024-11-25 15:57:30 -05:00
Patrick Schleizer
f9b5d7d3f4
use strict shell options 2024-11-25 15:48:01 -05:00
Patrick Schleizer
d32cb8c95b
use TMP, sponge, refactoring 2024-11-25 15:44:00 -05:00
Aaron Rainbolt
d7475e252a
Make apt-get-update able to be terminated securely 2024-11-21 20:03:42 -06:00
Patrick Schleizer
29ae5f5980
fix optional opt-in harden-module-loading.service
by making `/usr/libexec/security-misc/disable-kernel-module-loading` executable

Thanks to @ArrayBolt3 for the bug report!
2024-11-11 05:28:31 -05:00
Patrick Schleizer
71c58442ca
minor 2024-10-28 05:10:19 -04:00
Patrick Schleizer
cfe19e31d8
shell options 2024-10-28 05:09:53 -04:00
Patrick Schleizer
0d50615658
local 2024-10-28 05:07:00 -04:00
Patrick Schleizer
ef0eb5f7a0
refactoring 2024-10-28 05:06:26 -04:00
Patrick Schleizer
fdd1f4b7f8
refactoring 2024-10-28 05:06:05 -04:00
Patrick Schleizer
d00235897d
hide-hardware-info: also parse /usr/local/etc/hide-hardware-info.d/*.conf 2024-10-28 05:03:59 -04:00
Patrick Schleizer
6c2e808b9f
refactoring 2024-10-28 05:03:20 -04:00
Patrick Schleizer
566cda5e4b
output 2024-10-21 05:47:38 -04:00
Patrick Schleizer
5991a23049
comment 2024-10-21 05:47:25 -04:00
Aaron Rainbolt
690e8dd826
Avoid faillock lock/tally reset on reboot or timeout 2024-10-19 23:52:51 -05:00