Commit Graph

83 Commits

Author SHA1 Message Date
Patrick Schleizer
3bc831a1f7
lintian 2023-11-06 16:27:29 -05:00
Patrick Schleizer
b85d48eb83
do not change default umask for root
since this causes permission issues in `/etc/`

https://github.com/Kicksecure/security-misc/pull/151
2023-11-03 10:31:59 -04:00
Patrick Schleizer
07540db90d
Revert "Revert "set default umask to 027""
This reverts commit f8913ceb2e.
2023-11-03 09:45:12 -04:00
Patrick Schleizer
f8913ceb2e
Revert "set default umask to 027"
This reverts commit cd216095eb.
2023-11-03 09:43:44 -04:00
Patrick Schleizer
cd216095eb
set default umask to 027
using package libpam-umask

https://www.debian.org/doc/manuals/securing-debian-manual/ch04s11.en.html#id-1.5.14.19

https://github.com/Kicksecure/security-misc/pull/151
2023-11-03 09:12:24 -04:00
Patrick Schleizer
a7629b98cf
fix 2023-10-22 15:40:49 -04:00
Patrick Schleizer
25760f7024
bookworm 2023-06-13 08:34:41 +00:00
Raja Grewal
7a4212dd76
Update copyright 2023-03-30 17:08:47 +11:00
Patrick Schleizer
b87d9eb865
lintian 2023-01-24 07:08:13 -05:00
Patrick Schleizer
d31c17ea04
fix 2023-01-07 14:31:14 -05:00
Patrick Schleizer
41d116aa2f
lintian 2023-01-07 14:30:12 -05:00
Patrick Schleizer
8b584c570a
lintian 2022-06-29 16:06:22 -04:00
Patrick Schleizer
1c51d15649
lintian 2022-06-29 15:23:53 -04:00
Patrick Schleizer
6eba53767f
lintian 2022-06-29 14:17:52 -04:00
Patrick Schleizer
cfae7de6a8
lintian 2022-06-29 09:58:37 -04:00
Patrick Schleizer
2d37e3a1af
copyright 2022-05-20 14:46:38 -04:00
Patrick Schleizer
be8c10496f
fix faillock implementation
dovecot / ssh are exempted
2021-09-01 15:55:53 -04:00
Patrick Schleizer
582492d6d8
port from pam_tally2 to pam_faillock
since pam_tally2 was deprecated upstream
2021-08-10 17:13:00 -04:00
Patrick Schleizer
2bf0e7471c
port from pam_tally2 to pam_faillock
since pam_tally2 was deprecated upstream
2021-08-10 15:11:01 -04:00
Patrick Schleizer
2aea74bd71
renamed: usr/libexec/security-misc/pam_tally2-info -> usr/libexec/security-misc/pam-info
renamed:    usr/libexec/security-misc/pam_tally2_not_if_x -> usr/libexec/security-misc/pam_faillock_not_if_x
renamed:    usr/share/pam-configs/tally2-security-misc -> usr/share/pam-configs/faillock-security-misc
2021-08-10 15:06:04 -04:00
Patrick Schleizer
50bdd097df
move /usr/lib/security-misc to /usr/libexec/security-misc as per lintian FHS 2021-08-03 12:56:31 -04:00
Patrick Schleizer
8eae635668
update lintian tag name 2021-08-03 11:51:31 -04:00
Patrick Schleizer
b3e34f7f43
comment 2021-07-25 11:27:07 -04:00
Patrick Schleizer
7e128636b3
improve LKRG VirtualBox host configuration
as per https://github.com/openwall/lkrg/issues/82#issuecomment-886188999
2021-07-25 11:26:20 -04:00
Patrick Schleizer
257cef24ba
add LKRG compatibility settings automation for VirtualBox hosts
https://github.com/openwall/lkrg/issues/82
2021-07-24 18:03:40 -04:00
Patrick Schleizer
a67007f4b7
copyright 2021-03-17 09:45:21 -04:00
Patrick Schleizer
9622f28e25
skip counting failed login attempts from dovecot
Failed dovecot logins should not result in account getting locked.

revert "use pam_tally2 only for login"
2021-01-27 05:49:34 -05:00
Patrick Schleizer
6757104aa4
use pam_tally2 only for login
to skip counting failed login attempts over ssh and mail login
2021-01-24 05:04:48 -05:00
Patrick Schleizer
5c81e1f23f
import from anon-gpg-conf 2020-04-06 09:25:45 -04:00
Patrick Schleizer
2ceea8d1fe
update copyright year 2020-04-01 08:49:59 -04:00
Patrick Schleizer
300f010fc2
increase priority of pam-abort-on-locked-password-security-misc
since it has its own user help output

so it shows before pam tally2 info

to avoid duplicate non-applicable help text
2019-12-12 09:29:00 -05:00
Patrick Schleizer
729fa26eca
use pam_acccess only for /etc/pam.d/login
remove "Allow members of group 'ssh' to login."
remove "+:ssh:ALL EXCEPT LOCAL"
2019-12-12 09:00:08 -05:00
Patrick Schleizer
c192644ee3
security-misc /usr/share/pam-configs/permission-lockdown-security-misc is no longer required, removed.
Thereby fix apparmor issue.

> Dec 08 09:47:50 host audit[3232]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=3232 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
> Dec 08 09:47:50 host sudo[3232]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied

It is no longer required, because...

existing linux user accounts:

* Get permission lock down because security-misc `debian/security-misc.postinst` calls `/usr/lib/security-misc/permission-lockdown`.

new linux user accounts (created at first boot):

* security-misc `/usr/share/pam-configs/mkhomedir-security-misc` pam mkhomedir sets secure permissions using `umask=027`.
2019-12-08 05:21:35 -05:00
Patrick Schleizer
c7c65fe4e7
higher priority usr/share/pam-configs/tally2-security-misc
so it can give info before pam stack gets aborted by other pam modules
2019-12-08 03:15:53 -05:00
Patrick Schleizer
19cc6d7555
pam description 2019-12-08 02:10:43 -05:00
Patrick Schleizer
b871421a54
usr/share/pam-configs/console-lockdown -> usr/share/pam-configs/console-lockdown-security-misc 2019-12-08 01:57:43 -05:00
Patrick Schleizer
6479c883bf
Console Lockdown.
Allow members of group 'console' to use tty1 to tty7. Everyone else except
members of group 'console-unrestricted' are restricted from using console
using ancient, unpopular login methods such as using /bin/login over networks,
which might be exploitable. (CVE-2001-0797)

Not enabled by default in this package since this package does not know which
users shall be added to group 'console'.

In new Whonix builds, user 'user" will be added to group 'console' and
pam console-lockdown enabled by package anon-base-files.

/usr/share/pam-configs/console-lockdown

/etc/security/access-security-misc.conf

https://forums.whonix.org/t/etc-security-hardening/8592
2019-12-07 05:40:20 -05:00
Patrick Schleizer
aa5451c8cd
Lock user accounts after 50 rather than 100 failed login attempts.
https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/19
2019-11-25 01:39:53 -05:00
Patrick Schleizer
03e8023847
output 2019-11-22 14:11:30 -05:00
Patrick Schleizer
2e73c053b5
fix lintian warning 2019-11-09 12:55:00 +00:00
Patrick Schleizer
203d5cfa68
copyright 2019-10-31 11:19:44 -04:00
Patrick Schleizer
1e4d0ea1d0
fix lintian warning 2019-10-21 09:55:05 +00:00
Patrick Schleizer
0ae5c5ff14
remove umask changes since these are causing issues are are not needed anymore
thanks to home folder permission lockdown

https://forums.whonix.org/t/change-default-umask/7416/45
2019-08-24 12:14:22 -04:00
Patrick Schleizer
41b2819ec8
PAM: abort on locked password
to avoid needlessly bumping pam_tally2 counter

https://forums.whonix.org/t/restrict-root-access/7658/1
2019-08-17 10:33:47 +00:00
Patrick Schleizer
ed90d8b025
change default umask to 027
as per:

https://forums.whonix.org/t/change-default-umask/7416/47
2019-08-17 09:55:20 +00:00
Patrick Schleizer
ff9bc1d7ea
informational output during PAM:
* Show failed and remaining password attempts.
* Document unlock procedure if Linux user account got locked.
* Point out, that there is no password feedback for `su`.
* Explain locked (root) account if locked.
* /usr/share/pam-configs/tally2-security-misc
* /usr/lib/security-misc/pam_tally2-info
2019-08-15 13:37:28 +00:00
Patrick Schleizer
454e135822
pam_tally2.so even_deny_root 2019-08-15 07:33:41 +00:00
Patrick Schleizer
63b476221c
use requisite rather than required to avoid asking for password needlessly
if login will fail anyhow
2019-08-15 07:30:56 +00:00
Patrick Schleizer
8fdc77fed5
output to stdout 2019-08-14 10:33:23 +00:00
Patrick Schleizer
15094cab4f
avoid ' character in usr/share/pam-configs; in description 2019-08-14 09:36:30 +00:00