Patrick Schleizer
a67007f4b7
copyright
2021-03-17 09:45:21 -04:00
Patrick Schleizer
a258f35f38
comment
2021-01-05 02:11:08 -05:00
Patrick Schleizer
7e267ab498
fix, allow group sudo
and console
to use consoles
...
fix /etc/security/access-security-misc.conf syntax error
Thanks to @81a989 for the bug report!
https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/31
2020-08-03 08:12:19 -04:00
Patrick Schleizer
253578afdf
/etc/security/access-security-misc.conf white list ttyS0 etc.
...
ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9
Thanks to @subpar_marlin for the bug report and helping to fix this!
https://forums.whonix.org/t/how-do-i-enter-the-whonix-shell-from-cli/7271/43
https://forums.whonix.org/t/etc-security-hardening/8592
2020-04-13 06:50:32 -04:00
Patrick Schleizer
a7f2a2a3b6
console lockdown: allow members of group sudo
to use console
...
https://forums.whonix.org/t/etc-security-hardening/8592
https://github.com/Whonix/security-misc/pull/74#issuecomment-607748407
https://www.whonix.org/wiki/Dev/Strong_Linux_User_Account_Isolation#Console_Lockdown
2020-04-02 06:04:45 -04:00
Patrick Schleizer
7764ee0d20
comments
2020-04-02 05:58:16 -04:00
Patrick Schleizer
2ceea8d1fe
update copyright year
2020-04-01 08:49:59 -04:00
Patrick Schleizer
814f613a2f
When using systemd-nspawn (chroot) then login
requires console 'console' to be permitted.
2020-03-31 07:08:25 -04:00
Patrick Schleizer
729fa26eca
use pam_acccess only for /etc/pam.d/login
...
remove "Allow members of group 'ssh' to login."
remove "+:ssh:ALL EXCEPT LOCAL"
2019-12-12 09:00:08 -05:00
Patrick Schleizer
c1800b13fe
separate group "ssh" for incoming ssh console permission
...
Thanks to @madaidan
https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/16
2019-12-07 11:26:39 -05:00
Patrick Schleizer
021b06dac9
add hvc0 to hvc9
2019-12-07 06:04:45 -05:00
Patrick Schleizer
8a59662a44
comment
2019-12-07 06:02:45 -05:00
Patrick Schleizer
cda6724755
add pts/0 to pts/9
2019-12-07 05:56:57 -05:00
Patrick Schleizer
218cbddba9
comment
2019-12-07 05:52:06 -05:00
Patrick Schleizer
6479c883bf
Console Lockdown.
...
Allow members of group 'console' to use tty1 to tty7. Everyone else except
members of group 'console-unrestricted' are restricted from using console
using ancient, unpopular login methods such as using /bin/login over networks,
which might be exploitable. (CVE-2001-0797)
Not enabled by default in this package since this package does not know which
users shall be added to group 'console'.
In new Whonix builds, user 'user" will be added to group 'console' and
pam console-lockdown enabled by package anon-base-files.
/usr/share/pam-configs/console-lockdown
/etc/security/access-security-misc.conf
https://forums.whonix.org/t/etc-security-hardening/8592
2019-12-07 05:40:20 -05:00