Patrick Schleizer
3670fcf48b
depend on libcap2-bin for setcap / getcap / capsh
2019-12-23 00:49:33 -05:00
madaidan
8f11a520f4
Update control
2019-12-22 13:54:16 +00:00
Patrick Schleizer
b74e5ca972
comment
2019-12-21 07:47:00 -05:00
Patrick Schleizer
ed20980f4c
refactoring
2019-12-21 05:07:10 -05:00
Patrick Schleizer
8e112c3423
description
2019-12-20 06:53:24 -05:00
Patrick Schleizer
24ea70384b
description
2019-12-20 06:53:03 -05:00
Patrick Schleizer
2c4170e6f3
description
2019-12-12 09:47:58 -05:00
Patrick Schleizer
2d5ef378f3
description
2019-12-12 09:39:39 -05:00
Patrick Schleizer
c192644ee3
security-misc /usr/share/pam-configs/permission-lockdown-security-misc
is no longer required, removed.
...
Thereby fix apparmor issue.
> Dec 08 09:47:50 host audit[3232]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=3232 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
> Dec 08 09:47:50 host sudo[3232]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied
It is no longer required, because...
existing linux user accounts:
* Get permission lock down because security-misc `debian/security-misc.postinst` calls `/usr/lib/security-misc/permission-lockdown`.
new linux user accounts (created at first boot):
* security-misc `/usr/share/pam-configs/mkhomedir-security-misc` pam mkhomedir sets secure permissions using `umask=027`.
2019-12-08 05:21:35 -05:00
Patrick Schleizer
1dbca1ea2d
add usr/bin/hardening-enable
2019-12-08 02:27:09 -05:00
Patrick Schleizer
24423b42f0
description
2019-12-08 02:03:05 -05:00
Patrick Schleizer
66bebefc9f
description
2019-12-08 02:00:23 -05:00
Patrick Schleizer
b871421a54
usr/share/pam-configs/console-lockdown -> usr/share/pam-configs/console-lockdown-security-misc
2019-12-08 01:57:43 -05:00
Patrick Schleizer
1464f01d19
description
2019-12-08 01:30:42 -05:00
Patrick Schleizer
55225aa30e
description
2019-12-07 07:16:07 -05:00
Patrick Schleizer
34a2bc16c8
description
2019-12-07 07:15:58 -05:00
Patrick Schleizer
d823f06c78
description
2019-12-07 07:13:42 -05:00
Patrick Schleizer
090ddbe96a
description
2019-12-07 06:00:41 -05:00
Patrick Schleizer
6479c883bf
Console Lockdown.
...
Allow members of group 'console' to use tty1 to tty7. Everyone else except
members of group 'console-unrestricted' are restricted from using console
using ancient, unpopular login methods such as using /bin/login over networks,
which might be exploitable. (CVE-2001-0797)
Not enabled by default in this package since this package does not know which
users shall be added to group 'console'.
In new Whonix builds, user 'user" will be added to group 'console' and
pam console-lockdown enabled by package anon-base-files.
/usr/share/pam-configs/console-lockdown
/etc/security/access-security-misc.conf
https://forums.whonix.org/t/etc-security-hardening/8592
2019-12-07 05:40:20 -05:00
Patrick Schleizer
6d92d03b31
description
2019-12-07 01:54:50 -05:00
Patrick Schleizer
470cad6e91
remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in)
...
https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707
2019-12-06 05:14:02 -05:00
madaidan
af9e19c51f
Update control
2019-12-05 20:14:55 +00:00
Patrick Schleizer
0c25a96b59
description / comments
2019-12-03 02:18:32 -05:00
madaidan
8d63da3cef
Update control
2019-12-02 16:46:12 +00:00
Patrick Schleizer
25aed91eb1
description
2019-11-28 09:20:46 -05:00
Patrick Schleizer
0c4e5df3e0
description
2019-11-28 09:18:05 -05:00
Patrick Schleizer
5ac2a6f9ac
description
2019-11-28 09:17:32 -05:00
Patrick Schleizer
aa5451c8cd
Lock user accounts after 50 rather than 100 failed login attempts.
...
https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/19
2019-11-25 01:39:53 -05:00
Patrick Schleizer
fe1f1b73a7
load jitterentropy_rng kernel module for better entropy collection
...
https://www.whonix.org/wiki/Dev/Entropy
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927972
https://forums.whonix.org/t/jitterentropy-rngd/7204
2019-11-23 11:20:32 +00:00
Patrick Schleizer
b55c2fd62e
Enables punycode (network.IDN_show_punycode
) by default in Thunderbird
...
to make phising attacks more difficult. Fixing URL not showing real Domain
Name (Homograph attack).
https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415
2019-11-03 02:50:51 -05:00
Patrick Schleizer
203d5cfa68
copyright
2019-10-31 11:19:44 -04:00
madaidan
fe4e29d392
Depend on dh-apparmor
2019-10-28 14:22:47 +00:00
Patrick Schleizer
40707e70db
Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid.
...
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040
https://forums.whonix.org/t/cannot-use-pkexec/8129
Thanks to AnonymousUser for the bug report!
2019-10-21 05:46:49 -04:00
Patrick Schleizer
d301e7f365
description, fix lintian warning
2019-10-18 10:36:44 +00:00
madaidan
259b1f2c71
Update control
2019-10-16 19:21:24 +00:00
Patrick Schleizer
8b4f2befd4
comment out sack by default
...
https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/8?u=patrick
2019-10-05 13:15:34 +00:00
Patrick Schleizer
02096f8d7c
Revert "undo Disabling TCP SACK, DSACK, FACK"
...
This reverts commit 5fb4eb8e56
.
2019-10-05 13:13:46 +00:00
Patrick Schleizer
5fb4eb8e56
undo Disabling TCP SACK, DSACK, FACK
...
https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/5
2019-10-05 07:00:47 -04:00
madaidan
ec5fcf813b
Update control
2019-10-03 20:50:48 +00:00
Patrick Schleizer
619550da23
description
2019-09-15 14:00:24 +00:00
Patrick Schleizer
b95b66e429
description
2019-09-15 13:56:37 +00:00
Patrick Schleizer
ae804a15e7
description
2019-09-15 13:21:02 +00:00
Patrick Schleizer
f13a73e569
undo SysRq restrictions
...
https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079
2019-09-10 12:35:42 -04:00
Patrick Schleizer
661bcd8603
allow loading unsigned modules due to issues
...
https://forums.whonix.org/t/allow-loading-signed-kernel-modules-by-default-disallow-kernel-module-loading-by-default/7880/23
2019-09-07 05:39:56 +00:00
Patrick Schleizer
5960c1682a
description
2019-09-06 11:46:22 +00:00
Patrick Schleizer
fccfacfdaf
description
2019-09-06 11:45:54 +00:00
Patrick Schleizer
0e20e33d16
description
2019-09-05 02:31:57 -04:00
Patrick Schleizer
0b3dcef13d
description
2019-09-05 02:30:40 -04:00
Patrick Schleizer
f2e5883b4c
description
2019-09-05 02:29:48 -04:00
Patrick Schleizer
a4913ae092
description
2019-09-05 02:28:43 -04:00
Patrick Schleizer
3a5bdddf5c
depend on adduser
2019-08-31 08:43:46 -04:00
Patrick Schleizer
0ae5c5ff14
remove umask changes since these are causing issues are are not needed anymore
...
thanks to home folder permission lockdown
https://forums.whonix.org/t/change-default-umask/7416/45
2019-08-24 12:14:22 -04:00
Patrick Schleizer
a74b983283
remove LLC - IEEE 802.2 from blacklist
...
since required by KVM
https://forums.whonix.org/t/whonix-desktop-installer-with-calamares-field-report/7350/107
https://forums.whonix.org/t/blacklist-uncommon-network-protocols/7391/22
https://github.com/Whonix/security-misc/pull/29
2019-08-19 12:46:59 +00:00
Patrick Schleizer
e535232728
description
2019-08-17 10:37:49 +00:00
Patrick Schleizer
7ffdd7c240
description
2019-08-17 10:37:42 +00:00
Patrick Schleizer
207399439f
description
2019-08-17 10:37:36 +00:00
Patrick Schleizer
d4fb485e70
description
2019-08-17 10:35:31 +00:00
Patrick Schleizer
ed90d8b025
change default umask to 027
...
as per:
https://forums.whonix.org/t/change-default-umask/7416/47
2019-08-17 09:55:20 +00:00
Patrick Schleizer
f9e3825e91
fix lintian warning
2019-08-16 16:05:09 +00:00
Patrick Schleizer
224f95799c
sudo default umask 006
...
https://forums.whonix.org/t/change-default-umask/7416/43
2019-08-16 11:15:25 -04:00
Patrick Schleizer
85502ad430
Merge branch 'master' into patch-21
2019-08-16 14:35:51 +00:00
Patrick Schleizer
ff9bc1d7ea
informational output during PAM:
...
* Show failed and remaining password attempts.
* Document unlock procedure if Linux user account got locked.
* Point out, that there is no password feedback for `su`.
* Explain locked (root) account if locked.
* /usr/share/pam-configs/tally2-security-misc
* /usr/lib/security-misc/pam_tally2-info
2019-08-15 13:37:28 +00:00
Patrick Schleizer
a7c25a451c
remove unneeded dependency on libpam-cgfs
2019-08-14 11:50:53 +00:00
Patrick Schleizer
0feb54b28e
add Depends: apparmor-profile-anondist to fix apparmor issue
...
sudo[19806]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied
sudo[18961]: pam_exec(sudo:session): /usr/lib/security-misc/permission-lockdown failed: exit code 13
kernel: audit: type=1400 audit(1565780860.972:224): apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=19806 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
2019-08-14 11:10:18 +00:00
Patrick Schleizer
01b3a0bfae
description
2019-08-14 09:52:53 +00:00
Patrick Schleizer
dee195d89e
description
2019-08-14 09:40:41 +00:00
Patrick Schleizer
42f2d5f666
description
2019-08-14 07:39:28 +00:00
Patrick Schleizer
f210294f40
description
2019-08-14 07:24:24 +00:00
Patrick Schleizer
a82448d46a
description
2019-08-14 07:01:25 +00:00
Patrick Schleizer
aacd9c7679
description
2019-08-11 10:34:38 +00:00
Patrick Schleizer
c0b5c70de4
description
2019-08-11 10:33:22 +00:00
madaidan
4a6f87f3fa
Update control
2019-07-31 18:33:28 +00:00
Patrick Schleizer
ac1220e14b
depend on sudo so group sudo exists during postinst
2019-07-31 07:32:59 +00:00
Patrick Schleizer
09f75fb1ff
description
2019-07-31 07:32:36 +00:00
Patrick Schleizer
2ad087dcd9
description
2019-07-31 07:30:40 +00:00
Patrick Schleizer
404f597c0a
description
2019-07-31 07:29:42 +00:00
Patrick Schleizer
c921872016
description
2019-07-31 07:27:13 +00:00
Patrick Schleizer
39e1b1c5f0
update file path
2019-07-31 07:26:25 +00:00
Patrick Schleizer
c0a4a10d6b
description
2019-07-17 21:05:11 +00:00
Patrick Schleizer
7352b2ac31
description
2019-07-17 21:03:54 +00:00
Patrick Schleizer
4bf2360b95
description
2019-07-17 21:02:27 +00:00
Patrick Schleizer
9f2e300e72
description
2019-07-17 20:48:33 +00:00
Patrick Schleizer
d044780c04
description
2019-07-17 20:42:14 +00:00
Patrick Schleizer
75e5714d18
description
2019-07-17 20:40:01 +00:00
Patrick Schleizer
8c2f983578
description
2019-07-17 20:39:42 +00:00
Patrick Schleizer
2499ae0890
description
2019-07-16 07:28:50 -04:00
Patrick Schleizer
d0124b24d1
description
2019-07-16 07:27:56 -04:00
Patrick Schleizer
5c741d2149
shuffle
2019-07-15 13:02:30 +00:00
Patrick Schleizer
d247b7534b
sort description by categories
2019-07-15 13:01:46 +00:00
Patrick Schleizer
168ea5a660
shuffle
2019-07-15 08:48:17 -04:00
Patrick Schleizer
ea90f95f1c
cleanup
2019-07-13 16:26:40 +00:00
Patrick Schleizer
ea8b22ee78
shuffle
2019-07-13 16:26:14 +00:00
Patrick Schleizer
ca7e0e0161
description
2019-07-13 16:25:08 +00:00
Patrick Schleizer
ffb5a9c482
formatting
2019-07-13 16:23:39 +00:00
Patrick Schleizer
41675ddcff
removed: The amount of hashing rounds used by shadow is bumped to 65536.
...
This increases the security of hashed passwords.
Since we do not do that currently.
https://forums.whonix.org/t/restrict-root-access/7658/37
2019-07-13 16:21:34 +00:00
Patrick Schleizer
3f031a297d
Removes read, write and execute access for others for all users who have home
...
folders under folder /home by running for example "chmod o-rwx /home/user"
during package installation or upgrade. This will be done only once per folder
in folder /home so users who wish to relax file permissions are free to do so.
This is to protect previously created files in user home folder which were
previously created with lax file permissions prior installation of this
package.
2019-07-13 16:20:14 +00:00
Patrick Schleizer
aee6b34635
fix lintian warning
2019-07-11 18:26:17 +00:00
madaidan
1aee08fa5e
Update control
2019-07-11 15:30:09 +00:00
madaidan
853c2eb377
Update control
2019-07-11 15:26:14 +00:00
Patrick Schleizer
0057c0dd8c
fix lintian warning
2019-07-11 07:07:01 +00:00