Commit Graph

1222 Commits

Author SHA1 Message Date
Kenton Groombridge
4db7d6be64
hide-hardware-info: allow unrestricting selinuxfs
On SELinux systems, the /sys/fs/selinux directory must be visible to
userspace utilities in order to function properly.
2021-02-06 03:02:08 -05:00
Patrick Schleizer
3120ff3ec9
bumped changelog version 2021-01-29 23:37:03 -05:00
Patrick Schleizer
af3244741d
comment 2021-01-29 23:15:52 -05:00
Patrick Schleizer
d9aaf59105
bumped changelog version 2021-01-28 02:15:46 -05:00
Patrick Schleizer
b0b7f569ee
comment 2021-01-28 02:11:54 -05:00
Patrick Schleizer
f2595cc254
bumped changelog version 2021-01-27 05:50:16 -05:00
Patrick Schleizer
9622f28e25
skip counting failed login attempts from dovecot
Failed dovecot logins should not result in account getting locked.

revert "use pam_tally2 only for login"
2021-01-27 05:49:34 -05:00
Patrick Schleizer
480f74cab6
bumped changelog version 2021-01-24 05:10:36 -05:00
Patrick Schleizer
6757104aa4
use pam_tally2 only for login
to skip counting failed login attempts over ssh and mail login
2021-01-24 05:04:48 -05:00
Patrick Schleizer
126c31c37d
bumped changelog version 2021-01-19 19:41:43 -05:00
Patrick Schleizer
14d13fb03e
readme 2021-01-19 19:41:42 -05:00
Patrick Schleizer
611fbe2c61
description 2021-01-18 05:39:34 -05:00
Patrick Schleizer
0e8ea5eb72
bumped changelog version 2021-01-14 02:36:49 -05:00
Patrick Schleizer
ddd62c1eef
readme 2021-01-12 03:24:11 -05:00
Patrick Schleizer
468d8b600d
readme 2021-01-12 03:20:58 -05:00
Patrick Schleizer
b5cee63999
new file: README_generic.md 2021-01-12 03:19:31 -05:00
Patrick Schleizer
94627f0875
Merge remote-tracking branch 'github/master' 2021-01-12 03:18:41 -05:00
Patrick Schleizer
79876f7b12
Merge pull request #99 from madaidan/docs
Overhaul documentation
2021-01-12 08:17:04 +00:00
madaidan
3066b5ad97
Overhaul documentation 2021-01-12 02:17:13 +00:00
Patrick Schleizer
353e74fb5f
bumped changelog version 2021-01-05 08:30:37 -05:00
Patrick Schleizer
a258f35f38
comment 2021-01-05 02:11:08 -05:00
Patrick Schleizer
a4d7e46141
bumped changelog version 2020-12-10 05:20:57 -05:00
Patrick Schleizer
c5097ed599
comment 2020-12-06 04:23:09 -05:00
Patrick Schleizer
b2b614ed2a
cover more folders in /usr/local 2020-12-06 04:15:52 -05:00
Patrick Schleizer
5bd267d774
refactoring 2020-12-06 04:10:50 -05:00
Patrick Schleizer
11cdce02a0
refactoring 2020-12-06 04:10:10 -05:00
Patrick Schleizer
f73c55f16c
/opt
https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/68
2020-12-06 04:08:58 -05:00
Patrick Schleizer
261ef85c14
bumped changelog version 2020-12-01 05:53:06 -05:00
Patrick Schleizer
c031f22995
SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists
`whitelists_disable_all=true`
2020-12-01 05:14:48 -05:00
Patrick Schleizer
b09cc0de6a
Revert "SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists"
This reverts commit 36a471ebce.
2020-12-01 05:10:26 -05:00
Patrick Schleizer
704f0500ba
fix, rename 40_default_whitelist_[...].conf to 25_default_whitelist_[...].conf
since whitelist needs to be defined before SUID removal commands
2020-12-01 05:03:16 -05:00
Patrick Schleizer
36a471ebce
SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists
`whitelists_disable_all=true`
2020-12-01 05:02:34 -05:00
Patrick Schleizer
318ab570aa
simplify disabling of SUID Disabler and Permission Hardener whitelist
split `/etc/permission-hardening.d/30_default.conf` into multiple files

`/etc/permission-hardening.d/40_default_whitelist_[...].conf`

therefore make it easier to delete any whitelisted SUID binaries
2020-12-01 04:28:15 -05:00
Patrick Schleizer
cf07e977bd
add /bin/pkexec exactwhitelist for consistency
since there is already `/usr/bin/pkexec exactwhitelist`
2020-11-29 09:09:42 -05:00
Patrick Schleizer
fe27483886
bumped changelog version 2020-11-28 06:08:10 -05:00
Patrick Schleizer
28a326a8a1
add feature /usr/lib/security-misc/permission-hardening-undo /path/to/filename
to allow removing 1 SUID

fix, show INFO message if file does not exist during removal rather than ERROR
2020-11-28 05:31:12 -05:00
Patrick Schleizer
0ef35f8770
bumped changelog version 2020-11-06 10:18:09 -05:00
Patrick Schleizer
abae787186
usability: pam abort when attempting to login to root when root password is locked 2020-11-05 06:47:16 -05:00
Patrick Schleizer
581e31af81
comment 2020-11-05 06:46:57 -05:00
Patrick Schleizer
dfe9b0f6c7
fix, no longer unconditionally abort pam for user accounts with locked passwords
as locked user accounts might have valid sudoers exceptions

Thanks to @mimp for the bug report!

https://forums.whonix.org/t/pam-abort-on-locked-password-and-running-privileged-command-from-web-browser/10521
2020-11-05 06:42:47 -05:00
Patrick Schleizer
211769dc65
comment 2020-11-05 06:41:51 -05:00
Patrick Schleizer
7952139731
comment 2020-11-05 06:39:32 -05:00
Patrick Schleizer
bb72c1278d
copyright 2020-11-05 06:36:39 -05:00
Patrick Schleizer
f4843b1deb
bumped changelog version 2020-10-31 06:29:25 -04:00
Patrick Schleizer
c1e0bb8310
shebang 2020-10-31 06:11:49 -04:00
Patrick Schleizer
b06d4ca299
bumped changelog version 2020-10-31 06:09:22 -04:00
Patrick Schleizer
3f656be574
chmod +x /etc/X11/Xsession.d/50panic_on_oops
chmod +x /etc/X11/Xsession.d/50security-misc
2020-10-31 05:48:10 -04:00
Patrick Schleizer
881d695bff
bumped changelog version 2020-10-05 07:03:37 -04:00
Patrick Schleizer
3adb2c92d9
Merge remote-tracking branch 'github/master' 2020-10-03 14:10:32 -04:00
Patrick Schleizer
58560138cd
Merge pull request #77 from madaidan/debugfs
Restrict access to debugfs
2020-10-03 18:09:07 +00:00