Commit Graph

498 Commits

Author SHA1 Message Date
Patrick Schleizer
b31caefdeb
description 2020-02-29 04:59:02 -05:00
Patrick Schleizer
bd7678c574
Merge pull request #66 from madaidan/mce
Fix docs
2020-02-28 12:04:05 +00:00
madaidan
42d3b986c4
Update control 2020-02-27 17:41:14 +00:00
Patrick Schleizer
4043d2af3f
description 2020-02-25 02:06:48 -05:00
Patrick Schleizer
0e5187ff24
description 2020-02-25 02:00:27 -05:00
madaidan
60fbf8b0de
Update control 2020-02-24 18:24:07 +00:00
madaidan
8ea4e50c8e
Update control 2020-02-16 19:52:40 +00:00
Patrick Schleizer
01eaee997e
bumped changelog version 2020-02-15 15:35:44 -05:00
Patrick Schleizer
dce54d5d0f
bumped changelog version 2020-02-15 15:29:38 -05:00
Patrick Schleizer
1e5946c795
Merge branch 'master' into sysrq 2020-02-15 10:41:52 +00:00
madaidan
0f49736957
Update control 2020-02-14 18:18:18 +00:00
madaidan
ace6211176
Update control 2020-02-14 17:51:17 +00:00
Patrick Schleizer
ad6b766886
Merge pull request #57 from madaidan/sysctl
Prevent symlink/hardlink TOCTOU races
2020-02-13 18:40:58 +00:00
Patrick Schleizer
14140ad41b
bumped changelog version 2020-02-13 13:39:45 -05:00
madaidan
2796c2dd00
Update control 2020-02-12 18:43:19 +00:00
madaidan
14f8458374
Update control 2020-02-12 18:05:32 +00:00
Patrick Schleizer
163e20b886
bumped changelog version 2020-02-05 06:31:48 -05:00
Patrick Schleizer
8c5cd865f4
bumped changelog version 2020-02-03 09:23:13 -05:00
Patrick Schleizer
2291b7f787
bumped changelog version 2020-02-03 08:43:31 -05:00
Patrick Schleizer
0bd0a4a647
bumped changelog version 2020-01-30 06:14:34 -05:00
Patrick Schleizer
d69c1839cd
bumped changelog version 2020-01-30 06:02:26 -05:00
Patrick Schleizer
2711d0f7f0
bumped changelog version 2020-01-30 01:22:32 -05:00
Patrick Schleizer
c1a0da60be
set kernel boot parameter l1tf=full,force and nosmt=force
https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
2020-01-30 00:46:48 -05:00
Patrick Schleizer
efc40da4fb
bumped changelog version 2020-01-24 12:02:27 -05:00
Patrick Schleizer
f4c54881ac
description 2020-01-24 04:49:19 -05:00
Patrick Schleizer
25317f23e3
bumped changelog version 2020-01-24 04:41:16 -05:00
Patrick Schleizer
c0d3726b00
comment 2020-01-24 04:40:03 -05:00
Patrick Schleizer
a37da1c968
add digits to drop-in file names 2020-01-24 04:39:06 -05:00
Patrick Schleizer
2ab940c603
bumped changelog version 2020-01-24 04:34:18 -05:00
Patrick Schleizer
3a4d283169
description 2020-01-24 04:33:30 -05:00
Patrick Schleizer
e0aa67677d
merge the many modprobe.d config files into 1
and use a name starting with double digits

to make it easier to disable settings using a lexically higher config file
2020-01-24 04:30:36 -05:00
Patrick Schleizer
6a4c493213
merge the many sysctl config files into 1
and use a name starting with double digits

to make it easier to disable settings using a lexically higher config file
2020-01-24 04:26:36 -05:00
Patrick Schleizer
f653b94e77
bumped changelog version 2020-01-24 03:49:02 -05:00
Patrick Schleizer
8616728ce0
remove duplicate 2020-01-24 03:35:15 -05:00
Patrick Schleizer
3b283ec00f
bumped changelog version 2020-01-22 07:10:47 -05:00
Patrick Schleizer
531f17cb68
add update initramfs trigger
https://github.com/Whonix/security-misc/pull/53
2020-01-22 07:08:31 -05:00
Patrick Schleizer
df0b2afda1
bumped changelog version 2020-01-21 10:12:32 -05:00
Patrick Schleizer
627b95e0b3
bumped changelog version 2020-01-20 08:51:25 -05:00
Patrick Schleizer
fbe9b60d95
fix Whonix / Kicksecure
/var/lib/dpkg/tmp.ci/preinst: ERROR: No user is a member of group 'console'. Installation aborted.
/var/lib/dpkg/tmp.ci/preinst: ERROR: You probably want to run:

sudo adduser user console
2020-01-20 08:49:02 -05:00
Patrick Schleizer
960e1ff6e8
bumped changelog version 2020-01-17 03:32:57 -05:00
madaidan
1df48a226d
Update control 2020-01-15 20:30:17 +00:00
Patrick Schleizer
e110ea0b84
bumped changelog version 2020-01-15 11:37:52 -05:00
Patrick Schleizer
0618b53464
fix lintian warning 2020-01-15 11:35:07 -05:00
Patrick Schleizer
47ce3bec75
bumped changelog version 2020-01-15 11:05:54 -05:00
Patrick Schleizer
528c5fc4c4
Merge branch 'master' into sysctl-initramfs 2020-01-15 11:02:03 +00:00
Patrick Schleizer
1059ccf225
bumped changelog version 2020-01-14 09:28:28 -05:00
Patrick Schleizer
660837dc38
fix case when user "user" does not exists 2020-01-14 09:25:32 -05:00
Patrick Schleizer
18c726c3ee
comment 2020-01-14 09:23:02 -05:00
Patrick Schleizer
b8652681e7
fix legacy 2020-01-14 09:21:47 -05:00
Patrick Schleizer
cc21f912a3
bumped changelog version 2020-01-14 09:20:36 -05:00
madaidan
0953bbe1d7
Update control 2020-01-13 21:05:35 +00:00
madaidan
9dc43eae38
Description 2020-01-12 21:42:07 +00:00
Patrick Schleizer
8341242abc
bumped changelog version 2020-01-11 15:19:29 -05:00
Patrick Schleizer
61a2d390a7
lintian 2020-01-11 15:15:12 -05:00
madaidan
6088444c37
Update control 2020-01-11 18:38:17 +00:00
Patrick Schleizer
13a1e1321e
bumped changelog version 2020-01-01 05:59:59 -05:00
Patrick Schleizer
b2bdeb9095
bumped changelog version 2019-12-31 06:08:32 -05:00
Patrick Schleizer
2a3aae62b1
fix 2019-12-31 06:06:52 -05:00
Patrick Schleizer
427deec3f5
bumped changelog version 2019-12-31 06:03:48 -05:00
Patrick Schleizer
e89552c984
add user "user" to group "console" in Whonix and Kicksecure
enable Console Lockdown in Whonix and Kicksecure
2019-12-31 05:55:44 -05:00
Patrick Schleizer
b5a2d1dc58
bumped changelog version 2019-12-31 02:54:58 -05:00
Patrick Schleizer
06ed728d79
bumped changelog version 2019-12-30 06:42:14 -05:00
Patrick Schleizer
e4e9c4e3b0
bumped changelog version 2019-12-30 05:59:43 -05:00
Patrick Schleizer
d7f58db52c
bumped changelog version 2019-12-27 05:30:12 -05:00
Patrick Schleizer
507a30d6e3
bumped changelog version 2019-12-24 18:35:49 -05:00
Patrick Schleizer
0326cd5ee9
bumped changelog version 2019-12-24 08:07:55 -05:00
Patrick Schleizer
7a80837b4f
bumped changelog version 2019-12-23 08:48:04 -05:00
Patrick Schleizer
bef41a38c2
bumped changelog version 2019-12-23 03:58:00 -05:00
Patrick Schleizer
9ec5b0ee82
description: lockdown not enabled yet 2019-12-23 03:38:49 -05:00
Patrick Schleizer
1ff51ee061
merge 2019-12-23 03:37:28 -05:00
Patrick Schleizer
42ff53e9ad
bumped changelog version 2019-12-23 02:42:07 -05:00
Patrick Schleizer
175d1c2845
bumped changelog version 2019-12-23 02:13:13 -05:00
Patrick Schleizer
3670fcf48b
depend on libcap2-bin for setcap / getcap / capsh 2019-12-23 00:49:33 -05:00
Patrick Schleizer
bce02ffdc0
Merge pull request #47 from madaidan/msr
Blacklist CPU MSRs
2019-12-22 15:26:07 +00:00
madaidan
8f11a520f4
Update control 2019-12-22 13:54:16 +00:00
Patrick Schleizer
008ce4817c
bumped changelog version 2019-12-21 14:55:03 -05:00
Patrick Schleizer
1213415ce6
bumped changelog version 2019-12-21 14:23:35 -05:00
Patrick Schleizer
1c99b56c9b
bumped changelog version 2019-12-21 07:49:55 -05:00
Patrick Schleizer
b74e5ca972
comment 2019-12-21 07:47:00 -05:00
Patrick Schleizer
0c4db8c2b0
bumped changelog version 2019-12-21 07:38:25 -05:00
Patrick Schleizer
af8b04b73d
rm_conffile /etc/apparmor.d/usr.lib.security-misc.pam_tally2-info
rm_conffile /etc/apparmor.d/usr.lib.security-misc.permission-lockdown

https://github.com/Whonix/security-misc/pull/45
2019-12-21 06:58:01 -05:00
Patrick Schleizer
fac17a963d
bumped changelog version 2019-12-21 06:28:19 -05:00
Patrick Schleizer
78d33d8b57
bumped changelog version 2019-12-21 06:12:20 -05:00
Patrick Schleizer
ff48b672a8
bumped changelog version 2019-12-21 06:00:17 -05:00
Patrick Schleizer
65b5adb2d7
bumped changelog version 2019-12-21 05:38:39 -05:00
Patrick Schleizer
2b5a49a61b
bumped changelog version 2019-12-21 05:31:55 -05:00
Patrick Schleizer
ed20980f4c
refactoring 2019-12-21 05:07:10 -05:00
Patrick Schleizer
89be5f2ecb
bumped changelog version 2019-12-21 02:05:39 -05:00
Patrick Schleizer
1cd5fb6a00
bumped changelog version 2019-12-20 11:50:25 -05:00
Patrick Schleizer
28d12c3966
bumped changelog version 2019-12-20 11:09:22 -05:00
Patrick Schleizer
c0ddb76d74
bumped changelog version 2019-12-20 10:50:51 -05:00
Patrick Schleizer
089c40135f
bumped changelog version 2019-12-20 08:15:00 -05:00
Patrick Schleizer
ddc0eec63d
bumped changelog version 2019-12-20 07:12:36 -05:00
Patrick Schleizer
8e112c3423
description 2019-12-20 06:53:24 -05:00
Patrick Schleizer
24ea70384b
description 2019-12-20 06:53:03 -05:00
Patrick Schleizer
6dd6530fa5
remove hardening-enable
please invent package security-paranoid instead

https://forums.whonix.org/t/security-hardening-tool-usr-bin-hardening-enable-by-security-misc/8609
2019-12-20 05:32:26 -05:00
Patrick Schleizer
62eb462920
skip console_users_check for Qubes users 2019-12-16 06:46:48 -05:00
Patrick Schleizer
ab68182e11
bumped changelog version 2019-12-16 06:27:51 -05:00
Patrick Schleizer
2c4170e6f3
description 2019-12-12 09:47:58 -05:00
Patrick Schleizer
2d5ef378f3
description 2019-12-12 09:39:39 -05:00
Patrick Schleizer
a10597de92
bumped changelog version 2019-12-12 09:04:15 -05:00
Patrick Schleizer
729fa26eca
use pam_acccess only for /etc/pam.d/login
remove "Allow members of group 'ssh' to login."
remove "+:ssh:ALL EXCEPT LOCAL"
2019-12-12 09:00:08 -05:00
Patrick Schleizer
22b6480bc4
bumped changelog version 2019-12-10 11:44:02 -05:00
Patrick Schleizer
88bea2a6ef
comment 2019-12-10 03:53:10 -05:00
Patrick Schleizer
7d8001ddc9
refactoring 2019-12-10 03:51:39 -05:00
Patrick Schleizer
d2f6ac0491
fix, do user/group modifications in preinst rather than postinst 2019-12-10 03:50:23 -05:00
Patrick Schleizer
64ae53edb9
bumped changelog version 2019-12-09 08:25:30 -05:00
Patrick Schleizer
6f944234a9
bumped changelog version 2019-12-08 05:26:29 -05:00
Patrick Schleizer
c192644ee3
security-misc /usr/share/pam-configs/permission-lockdown-security-misc is no longer required, removed.
Thereby fix apparmor issue.

> Dec 08 09:47:50 host audit[3232]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=3232 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
> Dec 08 09:47:50 host sudo[3232]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied

It is no longer required, because...

existing linux user accounts:

* Get permission lock down because security-misc `debian/security-misc.postinst` calls `/usr/lib/security-misc/permission-lockdown`.

new linux user accounts (created at first boot):

* security-misc `/usr/share/pam-configs/mkhomedir-security-misc` pam mkhomedir sets secure permissions using `umask=027`.
2019-12-08 05:21:35 -05:00
Patrick Schleizer
edcc2de71d
bumped changelog version 2019-12-08 04:38:33 -05:00
Patrick Schleizer
17d81d0083
bumped changelog version 2019-12-08 04:27:01 -05:00
Patrick Schleizer
ebae9eef38
skip sudo_users_check in Qubes
Qubes users can use dom0 to get a root terminal emulator.

For example:
qvm-run -u root debian-10 xterm
2019-12-08 04:25:19 -05:00
Patrick Schleizer
53e4717c62
bumped changelog version 2019-12-08 04:05:29 -05:00
Patrick Schleizer
a345a0fb64
abort installation if ssh.service is enabled but no user is member of group ssh 2019-12-08 03:27:12 -05:00
Patrick Schleizer
cea598dc1a
refactoring 2019-12-08 02:43:05 -05:00
Patrick Schleizer
54f5e02c21
comment 2019-12-08 02:42:30 -05:00
Patrick Schleizer
b4265195f4
refactoring 2019-12-08 02:41:36 -05:00
Patrick Schleizer
0f65b2e85c
abort installation if no user is a member of group "console"; output
https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/7
2019-12-08 02:38:19 -05:00
Patrick Schleizer
1dbca1ea2d
add usr/bin/hardening-enable 2019-12-08 02:27:09 -05:00
Patrick Schleizer
24423b42f0
description 2019-12-08 02:03:05 -05:00
Patrick Schleizer
6b01e5be14
comment 2019-12-08 02:01:22 -05:00
Patrick Schleizer
66bebefc9f
description 2019-12-08 02:00:23 -05:00
Patrick Schleizer
52e0f104cc
comment 2019-12-08 01:59:55 -05:00
Patrick Schleizer
731d486fa0
refactoring 2019-12-08 01:58:58 -05:00
Patrick Schleizer
221a2df2a2
refactoring 2019-12-08 01:58:37 -05:00
Patrick Schleizer
b871421a54
usr/share/pam-configs/console-lockdown -> usr/share/pam-configs/console-lockdown-security-misc 2019-12-08 01:57:43 -05:00
Patrick Schleizer
d36669596f
comment 2019-12-08 01:56:30 -05:00
Patrick Schleizer
1a0f353708
comment 2019-12-08 01:47:40 -05:00
Patrick Schleizer
eed1f0a462
comment 2019-12-08 01:46:32 -05:00
Patrick Schleizer
2491b62393
refactoring, add all groups first before adding any users to any groups 2019-12-08 01:43:45 -05:00
Patrick Schleizer
1464f01d19
description 2019-12-08 01:30:42 -05:00
Patrick Schleizer
c1800b13fe
separate group "ssh" for incoming ssh console permission
Thanks to @madaidan

https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/16
2019-12-07 11:26:39 -05:00
Patrick Schleizer
55225aa30e
description 2019-12-07 07:16:07 -05:00
Patrick Schleizer
34a2bc16c8
description 2019-12-07 07:15:58 -05:00
Patrick Schleizer
d823f06c78
description 2019-12-07 07:13:42 -05:00
Patrick Schleizer
090ddbe96a
description 2019-12-07 06:00:41 -05:00
Patrick Schleizer
6479c883bf
Console Lockdown.
Allow members of group 'console' to use tty1 to tty7. Everyone else except
members of group 'console-unrestricted' are restricted from using console
using ancient, unpopular login methods such as using /bin/login over networks,
which might be exploitable. (CVE-2001-0797)

Not enabled by default in this package since this package does not know which
users shall be added to group 'console'.

In new Whonix builds, user 'user" will be added to group 'console' and
pam console-lockdown enabled by package anon-base-files.

/usr/share/pam-configs/console-lockdown

/etc/security/access-security-misc.conf

https://forums.whonix.org/t/etc-security-hardening/8592
2019-12-07 05:40:20 -05:00
Patrick Schleizer
52934c9288
bumped changelog version 2019-12-07 02:02:32 -05:00
Patrick Schleizer
6d92d03b31
description 2019-12-07 01:54:50 -05:00
Patrick Schleizer
0afcc5e798
bumped changelog version 2019-12-06 12:43:21 -05:00
Patrick Schleizer
af0cf058e7
bumped changelog version 2019-12-06 11:18:20 -05:00
Patrick Schleizer
bff425fec2
bumped changelog version 2019-12-06 09:32:18 -05:00
Patrick Schleizer
470cad6e91
remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in)
https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707
2019-12-06 05:14:02 -05:00
madaidan
af9e19c51f
Update control 2019-12-05 20:14:55 +00:00
Patrick Schleizer
0c25a96b59
description / comments 2019-12-03 02:18:32 -05:00
madaidan
8d63da3cef
Update control 2019-12-02 16:46:12 +00:00
Patrick Schleizer
6ca48fffdc
bumped changelog version 2019-11-28 10:22:41 -05:00
Patrick Schleizer
25aed91eb1
description 2019-11-28 09:20:46 -05:00
Patrick Schleizer
0c4e5df3e0
description 2019-11-28 09:18:05 -05:00
Patrick Schleizer
5ac2a6f9ac
description 2019-11-28 09:17:32 -05:00