Commit Graph

335 Commits

Author SHA1 Message Date
Patrick Schleizer
d7f58db52c
bumped changelog version 2019-12-27 05:30:12 -05:00
Patrick Schleizer
507a30d6e3
bumped changelog version 2019-12-24 18:35:49 -05:00
Patrick Schleizer
0326cd5ee9
bumped changelog version 2019-12-24 08:07:55 -05:00
Patrick Schleizer
7a80837b4f
bumped changelog version 2019-12-23 08:48:04 -05:00
Patrick Schleizer
bef41a38c2
bumped changelog version 2019-12-23 03:58:00 -05:00
Patrick Schleizer
9ec5b0ee82
description: lockdown not enabled yet 2019-12-23 03:38:49 -05:00
Patrick Schleizer
1ff51ee061
merge 2019-12-23 03:37:28 -05:00
Patrick Schleizer
42ff53e9ad
bumped changelog version 2019-12-23 02:42:07 -05:00
Patrick Schleizer
175d1c2845
bumped changelog version 2019-12-23 02:13:13 -05:00
Patrick Schleizer
3670fcf48b
depend on libcap2-bin for setcap / getcap / capsh 2019-12-23 00:49:33 -05:00
Patrick Schleizer
bce02ffdc0
Merge pull request #47 from madaidan/msr
Blacklist CPU MSRs
2019-12-22 15:26:07 +00:00
madaidan
8f11a520f4
Update control 2019-12-22 13:54:16 +00:00
Patrick Schleizer
008ce4817c
bumped changelog version 2019-12-21 14:55:03 -05:00
Patrick Schleizer
1213415ce6
bumped changelog version 2019-12-21 14:23:35 -05:00
Patrick Schleizer
1c99b56c9b
bumped changelog version 2019-12-21 07:49:55 -05:00
Patrick Schleizer
b74e5ca972
comment 2019-12-21 07:47:00 -05:00
Patrick Schleizer
0c4db8c2b0
bumped changelog version 2019-12-21 07:38:25 -05:00
Patrick Schleizer
af8b04b73d
rm_conffile /etc/apparmor.d/usr.lib.security-misc.pam_tally2-info
rm_conffile /etc/apparmor.d/usr.lib.security-misc.permission-lockdown

https://github.com/Whonix/security-misc/pull/45
2019-12-21 06:58:01 -05:00
Patrick Schleizer
fac17a963d
bumped changelog version 2019-12-21 06:28:19 -05:00
Patrick Schleizer
78d33d8b57
bumped changelog version 2019-12-21 06:12:20 -05:00
Patrick Schleizer
ff48b672a8
bumped changelog version 2019-12-21 06:00:17 -05:00
Patrick Schleizer
65b5adb2d7
bumped changelog version 2019-12-21 05:38:39 -05:00
Patrick Schleizer
2b5a49a61b
bumped changelog version 2019-12-21 05:31:55 -05:00
Patrick Schleizer
ed20980f4c
refactoring 2019-12-21 05:07:10 -05:00
Patrick Schleizer
89be5f2ecb
bumped changelog version 2019-12-21 02:05:39 -05:00
Patrick Schleizer
1cd5fb6a00
bumped changelog version 2019-12-20 11:50:25 -05:00
Patrick Schleizer
28d12c3966
bumped changelog version 2019-12-20 11:09:22 -05:00
Patrick Schleizer
c0ddb76d74
bumped changelog version 2019-12-20 10:50:51 -05:00
Patrick Schleizer
089c40135f
bumped changelog version 2019-12-20 08:15:00 -05:00
Patrick Schleizer
ddc0eec63d
bumped changelog version 2019-12-20 07:12:36 -05:00
Patrick Schleizer
8e112c3423
description 2019-12-20 06:53:24 -05:00
Patrick Schleizer
24ea70384b
description 2019-12-20 06:53:03 -05:00
Patrick Schleizer
6dd6530fa5
remove hardening-enable
please invent package security-paranoid instead

https://forums.whonix.org/t/security-hardening-tool-usr-bin-hardening-enable-by-security-misc/8609
2019-12-20 05:32:26 -05:00
Patrick Schleizer
62eb462920
skip console_users_check for Qubes users 2019-12-16 06:46:48 -05:00
Patrick Schleizer
ab68182e11
bumped changelog version 2019-12-16 06:27:51 -05:00
Patrick Schleizer
2c4170e6f3
description 2019-12-12 09:47:58 -05:00
Patrick Schleizer
2d5ef378f3
description 2019-12-12 09:39:39 -05:00
Patrick Schleizer
a10597de92
bumped changelog version 2019-12-12 09:04:15 -05:00
Patrick Schleizer
729fa26eca
use pam_acccess only for /etc/pam.d/login
remove "Allow members of group 'ssh' to login."
remove "+:ssh:ALL EXCEPT LOCAL"
2019-12-12 09:00:08 -05:00
Patrick Schleizer
22b6480bc4
bumped changelog version 2019-12-10 11:44:02 -05:00
Patrick Schleizer
88bea2a6ef
comment 2019-12-10 03:53:10 -05:00
Patrick Schleizer
7d8001ddc9
refactoring 2019-12-10 03:51:39 -05:00
Patrick Schleizer
d2f6ac0491
fix, do user/group modifications in preinst rather than postinst 2019-12-10 03:50:23 -05:00
Patrick Schleizer
64ae53edb9
bumped changelog version 2019-12-09 08:25:30 -05:00
Patrick Schleizer
6f944234a9
bumped changelog version 2019-12-08 05:26:29 -05:00
Patrick Schleizer
c192644ee3
security-misc /usr/share/pam-configs/permission-lockdown-security-misc is no longer required, removed.
Thereby fix apparmor issue.

> Dec 08 09:47:50 host audit[3232]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=3232 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
> Dec 08 09:47:50 host sudo[3232]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied

It is no longer required, because...

existing linux user accounts:

* Get permission lock down because security-misc `debian/security-misc.postinst` calls `/usr/lib/security-misc/permission-lockdown`.

new linux user accounts (created at first boot):

* security-misc `/usr/share/pam-configs/mkhomedir-security-misc` pam mkhomedir sets secure permissions using `umask=027`.
2019-12-08 05:21:35 -05:00
Patrick Schleizer
edcc2de71d
bumped changelog version 2019-12-08 04:38:33 -05:00
Patrick Schleizer
17d81d0083
bumped changelog version 2019-12-08 04:27:01 -05:00
Patrick Schleizer
ebae9eef38
skip sudo_users_check in Qubes
Qubes users can use dom0 to get a root terminal emulator.

For example:
qvm-run -u root debian-10 xterm
2019-12-08 04:25:19 -05:00
Patrick Schleizer
53e4717c62
bumped changelog version 2019-12-08 04:05:29 -05:00