Commit Graph

900 Commits

Author SHA1 Message Date
Patrick Schleizer
66bcba8313
improve character whitelisting 2019-12-20 01:58:35 -05:00
Patrick Schleizer
8f14e808a9
send error messages to stderr 2019-12-20 01:32:49 -05:00
Patrick Schleizer
d8c9fac2e5
output 2019-12-20 01:32:08 -05:00
Patrick Schleizer
f19abaf627
refactoring 2019-12-20 01:31:37 -05:00
Patrick Schleizer
c5d1e9dda7
Merge remote-tracking branch 'origin/master' 2019-12-20 01:30:31 -05:00
Patrick Schleizer
a20b30013f
Merge pull request #44 from madaidan/permission-hardening
Remove SUID bits
2019-12-20 06:29:58 +00:00
madaidan
9df7407286
Remove SUID bits 2019-12-19 17:01:33 +00:00
madaidan
3c2ca0257f
Support for removing SUID bits 2019-12-19 17:01:08 +00:00
Patrick Schleizer
62eb462920
skip console_users_check for Qubes users 2019-12-16 06:46:48 -05:00
Patrick Schleizer
ab68182e11
bumped changelog version 2019-12-16 06:27:51 -05:00
Patrick Schleizer
2cab38a8b3
readme 2019-12-16 06:24:14 -05:00
Patrick Schleizer
4ca9fc5920
fix 2019-12-16 03:53:10 -05:00
Patrick Schleizer
f68efd53cf
remount /sys/kernel/security with nodev,nosuid[,noexec]
as suggested by @madaidan

http://forums.whonix.org/t/apparmor-for-complete-system-including-init-pid1-systemd-everything-full-system-mac-policy/8339/238
2019-12-16 03:52:09 -05:00
Patrick Schleizer
2c4170e6f3
description 2019-12-12 09:47:58 -05:00
Patrick Schleizer
2d5ef378f3
description 2019-12-12 09:39:39 -05:00
Patrick Schleizer
300f010fc2
increase priority of pam-abort-on-locked-password-security-misc
since it has its own user help output

so it shows before pam tally2 info

to avoid duplicate non-applicable help text
2019-12-12 09:29:00 -05:00
Patrick Schleizer
a10597de92
bumped changelog version 2019-12-12 09:04:15 -05:00
Patrick Schleizer
729fa26eca
use pam_acccess only for /etc/pam.d/login
remove "Allow members of group 'ssh' to login."
remove "+:ssh:ALL EXCEPT LOCAL"
2019-12-12 09:00:08 -05:00
Patrick Schleizer
22b6480bc4
bumped changelog version 2019-12-10 11:44:02 -05:00
Patrick Schleizer
88bea2a6ef
comment 2019-12-10 03:53:10 -05:00
Patrick Schleizer
7d8001ddc9
refactoring 2019-12-10 03:51:39 -05:00
Patrick Schleizer
d2f6ac0491
fix, do user/group modifications in preinst rather than postinst 2019-12-10 03:50:23 -05:00
Patrick Schleizer
64ae53edb9
bumped changelog version 2019-12-09 08:25:30 -05:00
Patrick Schleizer
d80bf036f3
Disable permission hardening now until development finished / tested. 2019-12-09 03:50:43 -05:00
Patrick Schleizer
b72eb30056
quotes 2019-12-09 02:32:05 -05:00
Patrick Schleizer
c258376b7e
use read (built-in) rather than awk (external) 2019-12-09 02:31:10 -05:00
Patrick Schleizer
02165201ab
read -r; refactoring
as per https://mywiki.wooledge.org/BashFAQ/001
2019-12-09 02:23:43 -05:00
Patrick Schleizer
7467252122
quotes 2019-12-09 02:22:16 -05:00
Patrick Schleizer
9bea996017
Merge remote-tracking branch 'origin/master' 2019-12-09 02:21:47 -05:00
Patrick Schleizer
af62da3445
Merge pull request #42 from madaidan/permission-hardening
File permission hardening
2019-12-08 20:45:16 +00:00
madaidan
d7e2deae92
Create permission-hardening.service 2019-12-08 16:50:54 +00:00
madaidan
6c564f6e95
Create permission-hardening.conf 2019-12-08 16:50:11 +00:00
madaidan
61e19fa5f1
Create permission-hardening 2019-12-08 16:49:28 +00:00
Patrick Schleizer
6f944234a9
bumped changelog version 2019-12-08 05:26:29 -05:00
Patrick Schleizer
e64741c01e
readme 2019-12-08 05:25:19 -05:00
Patrick Schleizer
c192644ee3
security-misc /usr/share/pam-configs/permission-lockdown-security-misc is no longer required, removed.
Thereby fix apparmor issue.

> Dec 08 09:47:50 host audit[3232]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=3232 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
> Dec 08 09:47:50 host sudo[3232]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied

It is no longer required, because...

existing linux user accounts:

* Get permission lock down because security-misc `debian/security-misc.postinst` calls `/usr/lib/security-misc/permission-lockdown`.

new linux user accounts (created at first boot):

* security-misc `/usr/share/pam-configs/mkhomedir-security-misc` pam mkhomedir sets secure permissions using `umask=027`.
2019-12-08 05:21:35 -05:00
Patrick Schleizer
edcc2de71d
bumped changelog version 2019-12-08 04:38:33 -05:00
Patrick Schleizer
1227ccd1f7
After=qubes-sysinit.service 2019-12-08 04:37:53 -05:00
Patrick Schleizer
17d81d0083
bumped changelog version 2019-12-08 04:27:01 -05:00
Patrick Schleizer
ebae9eef38
skip sudo_users_check in Qubes
Qubes users can use dom0 to get a root terminal emulator.

For example:
qvm-run -u root debian-10 xterm
2019-12-08 04:25:19 -05:00
Patrick Schleizer
53e4717c62
bumped changelog version 2019-12-08 04:05:29 -05:00
Patrick Schleizer
bc45ed385e
readme 2019-12-08 04:03:02 -05:00
Patrick Schleizer
ac96708b24
improve usr/bin/hardening-enable 2019-12-08 04:01:11 -05:00
Patrick Schleizer
a345a0fb64
abort installation if ssh.service is enabled but no user is member of group ssh 2019-12-08 03:27:12 -05:00
Patrick Schleizer
50ac03363f
output 2019-12-08 03:18:32 -05:00
Patrick Schleizer
c7c65fe4e7
higher priority usr/share/pam-configs/tally2-security-misc
so it can give info before pam stack gets aborted by other pam modules
2019-12-08 03:15:53 -05:00
Patrick Schleizer
3bd0b3f837
notify when attempting to use ssh but user is member of group ssh 2019-12-08 03:10:41 -05:00
Patrick Schleizer
cea598dc1a
refactoring 2019-12-08 02:43:05 -05:00
Patrick Schleizer
54f5e02c21
comment 2019-12-08 02:42:30 -05:00
Patrick Schleizer
b4265195f4
refactoring 2019-12-08 02:41:36 -05:00