Commit Graph

543 Commits

Author SHA1 Message Date
Patrick Schleizer
d05c101721
debugging 2022-11-24 06:31:24 -05:00
Patrick Schleizer
36454c2dbf
debugging 2022-11-24 06:25:47 -05:00
Patrick Schleizer
e06b173a1b
debugging 2022-11-24 06:24:14 -05:00
Patrick Schleizer
497b5b4544
fix 2022-11-24 06:14:04 -05:00
Patrick Schleizer
e5255a630a
pam-info: support non-root environments (such as during graphical display manager login and xscreensaver) 2022-11-22 05:57:30 -05:00
Patrick Schleizer
09e6af5c08
pam-info refactoring 2022-11-16 02:01:23 -05:00
Patrick Schleizer
caf0099064
pam-info refactoring 2022-11-16 02:00:32 -05:00
Patrick Schleizer
487f63bb01
comment 2022-11-16 01:56:01 -05:00
Patrick Schleizer
f59f959a8d
pam-info fix 2022-11-16 01:55:14 -05:00
Patrick Schleizer
ae113442a1
pam-info refactoring 2022-11-16 01:49:45 -05:00
Patrick Schleizer
bb6b509d06
pam-info refactoring 2022-11-16 01:44:21 -05:00
Patrick Schleizer
e5d7ab7082
comment 2022-11-15 12:44:12 -05:00
Patrick Schleizer
23b936b573
also support /usr/local/etc/pam-info-debug 2022-11-15 12:31:14 -05:00
Patrick Schleizer
95487346db
pam-info: create debug log file ~/pam-info-debug.txt
when file /etc/pam-info-debug exists
2022-11-15 12:29:41 -05:00
Patrick Schleizer
2872c2ab52
comments 2022-11-15 12:00:59 -05:00
Patrick Schleizer
6033de7815
debugging 2022-11-15 11:58:50 -05:00
Patrick Schleizer
272a33fe2c
addgroup -> adduser fix 2022-08-13 11:35:25 -04:00
Patrick Schleizer
82da4ed18f
comments 2022-07-28 09:56:24 -04:00
Patrick Schleizer
a6bee1493d
cold-boot-attack-defense wait longer to make messages readable by user 2022-07-28 09:55:12 -04:00
Patrick Schleizer
053142cdb5
fix 2022-07-26 10:00:21 -04:00
Patrick Schleizer
3b844eaab2
output 2022-07-09 11:42:11 -04:00
Patrick Schleizer
73d2c9d921
output 2022-07-09 11:40:15 -04:00
Patrick Schleizer
adfdac6dea
output 2022-07-09 11:40:01 -04:00
Patrick Schleizer
1df2cfd1ad
comment 2022-07-09 11:38:37 -04:00
Patrick Schleizer
fede41e6e0
fix 2022-07-09 11:38:04 -04:00
Krish-sysadmin
e5f8004a94
Update hide-hardware-info 2022-07-05 03:37:40 +02:00
Patrick Schleizer
69af8be7b8
drop_caches before and after sdmem 2022-07-02 19:10:55 -04:00
Patrick Schleizer
67bdd58bf2
sync 2022-07-02 19:07:06 -04:00
Patrick Schleizer
973f117aa6
wipe RAM at shutdown: Ensure any remaining disk cache is erased by Linux' memory poisoning
by running:
`echo 3 > /proc/sys/vm/drop_caches`

Inspired by Tails:
https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/usr/local/lib/initramfs-pre-shutdown-hook
2022-07-02 18:12:36 -04:00
Patrick Schleizer
95187bd357
fix 2022-07-02 17:21:33 -04:00
Patrick Schleizer
148a050468
fix 2022-07-02 16:03:45 -04:00
Patrick Schleizer
82e7863d5b
improvement 2022-07-02 16:02:28 -04:00
Patrick Schleizer
1144b39e5e
debugging 2022-07-02 15:50:59 -04:00
Patrick Schleizer
c29b21c08a
output 2022-07-02 15:45:19 -04:00
Patrick Schleizer
d34fe21963
fix 2022-07-02 15:32:42 -04:00
Patrick Schleizer
32fdcf522b
- introduce wiperam=skip kernel parameter to skip wipe ram
- introduce `wiperam=force` kernel parameter to force wipe ram inside VMs
2022-06-30 14:47:45 -04:00
Patrick Schleizer
036f518ddc
improvement 2022-06-30 13:56:29 -04:00
Patrick Schleizer
0e2fae2b69
skip ram wipe inside VMs
https://forums.whonix.org/t/is-ram-wipe-possible-inside-whonix-cold-boot-attack-defense/5596/40
2022-06-30 13:50:18 -04:00
Patrick Schleizer
e06405c7be
undo 2022-06-29 16:56:16 -04:00
Patrick Schleizer
1b97d9cb76
fix 2022-06-29 16:30:31 -04:00
Patrick Schleizer
92c543e71f
output 2022-06-29 16:24:52 -04:00
Patrick Schleizer
d4161b2748
output 2022-06-29 16:23:42 -04:00
Patrick Schleizer
1ce7b27297
improvement 2022-06-29 16:23:12 -04:00
Patrick Schleizer
8b584c570a
lintian 2022-06-29 16:06:22 -04:00
Patrick Schleizer
f5e0c1742a
credits 2022-06-29 16:02:05 -04:00
Patrick Schleizer
42e24f3c24
update file names 2022-06-29 15:54:49 -04:00
Patrick Schleizer
52aaac9b6d
rename 2022-06-29 15:53:52 -04:00
Patrick Schleizer
619bb3cf4d
rename 2022-06-29 15:53:24 -04:00
Patrick Schleizer
2a8504cf1b
move 2022-06-29 15:51:14 -04:00
Patrick Schleizer
af8b211c23
improvements 2022-06-29 15:50:20 -04:00
Patrick Schleizer
e9cd5d934b
copyright 2022-06-29 15:24:27 -04:00
Patrick Schleizer
1c51d15649
lintian 2022-06-29 15:23:53 -04:00
Patrick Schleizer
9ab81d4581
do not power off too fast so wipe ram messages can be read 2022-06-29 15:22:00 -04:00
Patrick Schleizer
19439033de
copyright 2022-06-29 15:19:56 -04:00
Patrick Schleizer
fc202ede16
delete no longer required usr/lib/dracut/modules.d/40sdmem-security-misc/README.md 2022-06-29 15:18:28 -04:00
Patrick Schleizer
6d3a08a936
improvements 2022-06-29 15:17:40 -04:00
Patrick Schleizer
6eba53767f
lintian 2022-06-29 14:17:52 -04:00
Patrick Schleizer
8a072437cc
ram wipe on shutdown: fix, added need_shutdown hook
Otherwise dracut does not run on shutdown.

Without `need_shutdown` file `/run/initramfs/.need_shutdown` does not get created.
And without that file `/usr/lib/dracut/dracut-initramfs-restore`,
which itself is started by `/lib/systemd/system/dracut-shutdown.service` does nothing.
2022-06-29 14:13:30 -04:00
Patrick Schleizer
924077e04c
verbose 2022-06-29 13:02:53 -04:00
Patrick Schleizer
db301dfd7f
comment 2022-06-29 13:02:39 -04:00
Patrick Schleizer
73d2ada0de
comment 2022-06-29 13:02:01 -04:00
Patrick Schleizer
295811a88f
improvements 2022-06-29 11:14:52 -04:00
Patrick Schleizer
cfae7de6a8
lintian 2022-06-29 09:58:37 -04:00
Patrick Schleizer
024d52a67e
improve usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh 2022-06-29 09:52:53 -04:00
Patrick Schleizer
29253004b6
minor 2022-06-29 09:38:18 -04:00
Patrick Schleizer
6f19af1542
add shebang /bin/sh
to fix lintian warning
security-misc: executable-not-elf-or-script usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh
2022-06-29 09:35:08 -04:00
Patrick Schleizer
38cdf2722b
- Wipe LUKS Disk Encryption Key for Root Disk from RAM during Shutdown to defeat Cold Boot Attacks
- Confirm in console output if encrypted mounts (root disk) is unmounted. (Because that is a pre-condition for wiping the LUKS full disk encryption key from RAM.)

Thanks to @friedy10!

https://github.com/friedy10/dracut/tree/master/modules.d/40sdmem

https://forums.whonix.org/t/is-ram-wipe-possible-inside-whonix-cold-boot-attack-defense/5596
2022-06-29 09:32:55 -04:00
Patrick Schleizer
d7dd188651
remove unicode 2022-06-08 09:27:02 -04:00
Patrick Schleizer
55d16e1602
remove unicode 2022-06-08 09:04:03 -04:00
Kuri Schlarb
2bdda9d0a0
permssion-hardening: Do not skip config file lines without trailing newline (ancient bash bug) 2022-06-07 08:18:05 +00:00
Kuri Schlarb
9fd8e1c9b0
permission-hardening: Fix issue with pipelining failures causing incorrect user/group lookup results 2022-06-07 08:03:56 +00:00
Patrick Schleizer
2d37e3a1af
copyright 2022-05-20 14:46:38 -04:00
Patrick Schleizer
7651308787
Merge pull request #103 from 0xC0ncord/bugfix/selinuxfs_restrictions
hide-hardware-info: re-enable restrictions on sysfs when using SELinux
2022-05-19 19:39:42 -04:00
Patrick Schleizer
bb0307290b
update link 2022-04-16 14:18:35 -04:00
0xC0ncord
93efa506da hide-hardware-info: disable selinux whitelist by default 2022-03-17 11:41:57 -04:00
Patrick Schleizer
b0a0004a85
output 2022-02-10 13:47:10 -05:00
Patrick Schleizer
4f6f588fb5
fix, skip deletion of system.map files on read-only filesystems
This is required for Qubes /lib/modules read-only implementation at time of writing.

Thanks to @marmarek for the bug report!

https://forums.whonix.org/t/remove-system-map-cannot-work-lib-modules-is-mounted-read-only/13324
2022-02-10 13:44:55 -05:00
0xC0ncord
4172232eb7 hide-hardware-info: make indentation consistent 2021-10-10 16:03:40 -04:00
0xC0ncord
060d7d890a hide-hardware-info: re-enable restrictions on sysfs when using SELinux
When using SELinux, restrict the parts of sysfs explicitly to ensure
restrictions are working as expected.
2021-10-10 16:03:07 -04:00
Patrick Schleizer
be8c10496f
fix faillock implementation
dovecot / ssh are exempted
2021-09-01 15:55:53 -04:00
Patrick Schleizer
8b104f544a
fix, add sshd to pam_service_exclusion_list
to avoid faillock
2021-09-01 15:45:36 -04:00
Patrick Schleizer
db43cedcfd
LANG=C str_replace 2021-08-22 05:23:24 -04:00
Patrick Schleizer
582492d6d8
port from pam_tally2 to pam_faillock
since pam_tally2 was deprecated upstream
2021-08-10 17:13:00 -04:00
Patrick Schleizer
2bf0e7471c
port from pam_tally2 to pam_faillock
since pam_tally2 was deprecated upstream
2021-08-10 15:11:01 -04:00
Patrick Schleizer
2aea74bd71
renamed: usr/libexec/security-misc/pam_tally2-info -> usr/libexec/security-misc/pam-info
renamed:    usr/libexec/security-misc/pam_tally2_not_if_x -> usr/libexec/security-misc/pam_faillock_not_if_x
renamed:    usr/share/pam-configs/tally2-security-misc -> usr/share/pam-configs/faillock-security-misc
2021-08-10 15:06:04 -04:00
Patrick Schleizer
50bdd097df
move /usr/lib/security-misc to /usr/libexec/security-misc as per lintian FHS 2021-08-03 12:56:31 -04:00
Patrick Schleizer
4fadaad8c0
lintian FHS 2021-08-03 12:52:10 -04:00
Patrick Schleizer
6607c1e4bd
move /usr/lib/helper-scripts and /usr/lib/curl-scripts to /usr/libexec/helper-scripts as per lintian FHS 2021-08-03 12:48:57 -04:00
Patrick Schleizer
240ec7672a
replace no longer required /usr/lib/security-misc/apt-get-wrapper with apt-get --error-on=any 2021-08-03 12:19:26 -04:00
Patrick Schleizer
8eae635668
update lintian tag name 2021-08-03 11:51:31 -04:00
Patrick Schleizer
bb3e65f7a8
bullseye 2021-08-03 03:25:35 -04:00
Patrick Schleizer
b3e34f7f43
comment 2021-07-25 11:27:07 -04:00
Patrick Schleizer
7e128636b3
improve LKRG VirtualBox host configuration
as per https://github.com/openwall/lkrg/issues/82#issuecomment-886188999
2021-07-25 11:26:20 -04:00
Patrick Schleizer
257cef24ba
add LKRG compatibility settings automation for VirtualBox hosts
https://github.com/openwall/lkrg/issues/82
2021-07-24 18:03:40 -04:00
Patrick Schleizer
74e39cbf69
pam-abort-on-locked-password: more descriptive error handling
https://forums.whonix.org/t/restrict-root-access/7658/1
2021-06-20 11:18:56 -04:00
Patrick Schleizer
a67007f4b7
copyright 2021-03-17 09:45:21 -04:00
Patrick Schleizer
a1819e8cab
comment 2021-03-01 09:15:44 -05:00
Kenton Groombridge
4db7d6be64
hide-hardware-info: allow unrestricting selinuxfs
On SELinux systems, the /sys/fs/selinux directory must be visible to
userspace utilities in order to function properly.
2021-02-06 03:02:08 -05:00
Patrick Schleizer
af3244741d
comment 2021-01-29 23:15:52 -05:00
Patrick Schleizer
b0b7f569ee
comment 2021-01-28 02:11:54 -05:00
Patrick Schleizer
9622f28e25
skip counting failed login attempts from dovecot
Failed dovecot logins should not result in account getting locked.

revert "use pam_tally2 only for login"
2021-01-27 05:49:34 -05:00
Patrick Schleizer
6757104aa4
use pam_tally2 only for login
to skip counting failed login attempts over ssh and mail login
2021-01-24 05:04:48 -05:00
Patrick Schleizer
c5097ed599
comment 2020-12-06 04:23:09 -05:00
Patrick Schleizer
c031f22995
SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists
`whitelists_disable_all=true`
2020-12-01 05:14:48 -05:00
Patrick Schleizer
b09cc0de6a
Revert "SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists"
This reverts commit 36a471ebce.
2020-12-01 05:10:26 -05:00
Patrick Schleizer
36a471ebce
SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists
`whitelists_disable_all=true`
2020-12-01 05:02:34 -05:00
Patrick Schleizer
28a326a8a1
add feature /usr/lib/security-misc/permission-hardening-undo /path/to/filename
to allow removing 1 SUID

fix, show INFO message if file does not exist during removal rather than ERROR
2020-11-28 05:31:12 -05:00
Patrick Schleizer
abae787186
usability: pam abort when attempting to login to root when root password is locked 2020-11-05 06:47:16 -05:00
Patrick Schleizer
581e31af81
comment 2020-11-05 06:46:57 -05:00
Patrick Schleizer
dfe9b0f6c7
fix, no longer unconditionally abort pam for user accounts with locked passwords
as locked user accounts might have valid sudoers exceptions

Thanks to @mimp for the bug report!

https://forums.whonix.org/t/pam-abort-on-locked-password-and-running-privileged-command-from-web-browser/10521
2020-11-05 06:42:47 -05:00
Patrick Schleizer
211769dc65
comment 2020-11-05 06:41:51 -05:00
Patrick Schleizer
7952139731
comment 2020-11-05 06:39:32 -05:00
Patrick Schleizer
bb72c1278d
copyright 2020-11-05 06:36:39 -05:00
Patrick Schleizer
5c81e1f23f
import from anon-gpg-conf 2020-04-06 09:25:45 -04:00
Patrick Schleizer
1188a44f47
port to python 3.7 2020-04-04 16:49:30 -04:00
Patrick Schleizer
2ceea8d1fe
update copyright year 2020-04-01 08:49:59 -04:00
Patrick Schleizer
649ec5dfa1
pkexec wrapper: fix gdebi / synaptic
but at cost of checking for passwordless sudo /etc/suders /etc/sudoers.d
exceptions.

http://forums.whonix.org/t/cannot-use-pkexec/8129/53
2020-02-29 04:59:56 -05:00
Patrick Schleizer
9bbae903fe
remove-system.map: lower verbosity output 2020-02-15 05:29:48 -05:00
madaidan
31009f0bfa
Shred System.map files 2020-02-14 23:46:19 +00:00
Patrick Schleizer
1f6ed2cc70
add support for passing parameters to usr/lib/security-misc/apt-get-update 2020-02-03 08:55:20 -05:00
Patrick Schleizer
8627c9f76d
/usr/lib/security-misc/apt-get-update increase default timeout_after="600" 2020-01-31 12:18:02 -05:00
Patrick Schleizer
829e28aa90
/usr/lib/security-misc/apt-get-update environment variable timeout_after kill_after support 2020-01-31 12:17:07 -05:00
Patrick Schleizer
d4a37b6df2
remove-system.map: source /usr/lib/helper-scripts/pre.bsh 2020-01-24 03:18:17 -05:00
Patrick Schleizer
18041efa2f
fix pam tally2 check when read-only disk boot without ro-mode-init or grub-live 2020-01-21 10:01:17 -05:00
Patrick Schleizer
80159545a5
fix xfce4-power-manager xfpm-power-backlight-helper pkexec lxsudo popup
https://forums.whonix.org/t/xfce4-power-manager-xfpm-power-backlight-helper-pkexec-lxsudo-popup/8764

do show lxqt-sudo password prompt if there is a sudoers exceptoin

improved pkexec wrapper logging
2020-01-15 02:42:10 -05:00
Patrick Schleizer
d90ca4b1ad
refactoring 2020-01-14 15:12:13 -05:00
Patrick Schleizer
082f04f2d4
add logging to pkexec wrapper 2020-01-14 15:04:58 -05:00
Patrick Schleizer
5031e7cc4b
better output if trying to login with non-existing user 2019-12-31 08:18:38 -05:00
Patrick Schleizer
20697db3ee
improve console lockdown info output 2019-12-31 02:53:02 -05:00
Patrick Schleizer
788914de95
group ssh check was removed
https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/27
2019-12-31 02:46:32 -05:00
Patrick Schleizer
1a0f7a7733
debugging 2019-12-29 04:43:32 -05:00
Patrick Schleizer
5271892cb1
debugging 2019-12-29 04:42:54 -05:00
Patrick Schleizer
683028049c
debugging 2019-12-29 04:41:23 -05:00
Patrick Schleizer
e3e1ff2a31
exit with error if a config line cannot be processed rather than skipping
https://forums.whonix.org/t/disable-suid-binaries/7706/59
2019-12-29 04:35:46 -05:00
Patrick Schleizer
d5c99f3a60
output 2019-12-29 04:27:21 -05:00
Patrick Schleizer
04f438f75d
comment 2019-12-24 18:09:37 -05:00
Patrick Schleizer
9da0e428ed
debugging 2019-12-24 17:54:31 -05:00
Patrick Schleizer
e18ec533c3
comment 2019-12-24 17:54:02 -05:00
Patrick Schleizer
f8f2e6c704
fix disablewhitelist feature 2019-12-23 02:35:13 -05:00
Patrick Schleizer
47ddcad0c0
rename keyword whitelist to exactwhitelist
add new keyword disablewhitelist

refactoring
2019-12-23 02:29:47 -05:00
Patrick Schleizer
34bf245713
output 2019-12-23 01:35:45 -05:00
Patrick Schleizer
ba30e45d15
output 2019-12-23 01:32:42 -05:00
Patrick Schleizer
ee9c5742da
output 2019-12-23 01:29:48 -05:00
Patrick Schleizer
6d05359abc
output 2019-12-23 01:21:52 -05:00
Patrick Schleizer
a1e78e8515
fix needlessly re-adding entries 2019-12-23 01:20:56 -05:00
Patrick Schleizer
906b3d32e7
output 2019-12-23 01:09:57 -05:00
Patrick Schleizer
4f76867da6
lower debugging 2019-12-23 01:08:02 -05:00
Patrick Schleizer
dc6e5d8508
fix 2019-12-23 01:06:38 -05:00
Patrick Schleizer
87b999f92a
refactoring 2019-12-23 00:59:43 -05:00
Patrick Schleizer
065ff4bd05
sanity_tests 2019-12-23 00:59:24 -05:00