Commit Graph

1387 Commits

Author SHA1 Message Date
Patrick Schleizer
28a326a8a1
add feature /usr/lib/security-misc/permission-hardening-undo /path/to/filename
to allow removing 1 SUID

fix, show INFO message if file does not exist during removal rather than ERROR
2020-11-28 05:31:12 -05:00
Patrick Schleizer
0ef35f8770
bumped changelog version 2020-11-06 10:18:09 -05:00
Patrick Schleizer
abae787186
usability: pam abort when attempting to login to root when root password is locked 2020-11-05 06:47:16 -05:00
Patrick Schleizer
581e31af81
comment 2020-11-05 06:46:57 -05:00
Patrick Schleizer
dfe9b0f6c7
fix, no longer unconditionally abort pam for user accounts with locked passwords
as locked user accounts might have valid sudoers exceptions

Thanks to @mimp for the bug report!

https://forums.whonix.org/t/pam-abort-on-locked-password-and-running-privileged-command-from-web-browser/10521
2020-11-05 06:42:47 -05:00
Patrick Schleizer
211769dc65
comment 2020-11-05 06:41:51 -05:00
Patrick Schleizer
7952139731
comment 2020-11-05 06:39:32 -05:00
Patrick Schleizer
bb72c1278d
copyright 2020-11-05 06:36:39 -05:00
Patrick Schleizer
f4843b1deb
bumped changelog version 2020-10-31 06:29:25 -04:00
Patrick Schleizer
c1e0bb8310
shebang 2020-10-31 06:11:49 -04:00
Patrick Schleizer
b06d4ca299
bumped changelog version 2020-10-31 06:09:22 -04:00
Patrick Schleizer
3f656be574
chmod +x /etc/X11/Xsession.d/50panic_on_oops
chmod +x /etc/X11/Xsession.d/50security-misc
2020-10-31 05:48:10 -04:00
Patrick Schleizer
881d695bff
bumped changelog version 2020-10-05 07:03:37 -04:00
Patrick Schleizer
3adb2c92d9
Merge remote-tracking branch 'github/master' 2020-10-03 14:10:32 -04:00
Patrick Schleizer
58560138cd
Merge pull request #77 from madaidan/debugfs
Restrict access to debugfs
2020-10-03 18:09:07 +00:00
madaidan
06ffd5d220
Restrict access to debugfs 2020-09-28 19:21:20 +00:00
Patrick Schleizer
feb7cea4c5
bumped changelog version 2020-09-28 10:30:42 -04:00
Patrick Schleizer
da1ac48cde
unblacklist squashfs as this would likely break Whonix-Host ISO
https://github.com/Whonix/security-misc/pull/75#issuecomment-700044182
2020-09-28 10:29:50 -04:00
Patrick Schleizer
4070133ed6
unblacklist vfat
https://github.com/Whonix/security-misc/pull/75#issuecomment-695201068
2020-09-28 10:25:57 -04:00
Patrick Schleizer
77d461ec08
Merge remote-tracking branch 'github/master' 2020-09-28 10:24:59 -04:00
Patrick Schleizer
3684ab585e
Merge pull request #75 from flawedworld/patch-1
Blacklist more modules (based on OpenSCAP for RHEL 8)
2020-09-28 14:24:15 +00:00
Patrick Schleizer
ae90107e6d
Merge pull request #76 from flawedworld/patch-2
Add IPv6 sysctl options and enforce kernel.perf_event_paranoid=3
2020-09-28 14:23:42 +00:00
flawedworld
a813e7da07 Blacklist more modules 2020-09-19 20:46:19 +01:00
Patrick Schleizer
5fc7b791db
bumped changelog version 2020-09-19 09:28:27 -04:00
Patrick Schleizer
bff6ce7abb
Merge remote-tracking branch 'github/master' 2020-09-19 06:54:50 -04:00
Patrick Schleizer
9239c8b807
Merge pull request #71 from onions-knight/patch-1
Update thunar.xml
2020-09-19 10:54:21 +00:00
flawedworld
8f7727e823
Add some IPv6 options 2020-09-18 23:36:30 +01:00
flawedworld
944fed3c45
Disallow kernel profiling by users without CAP_SYS_ADMIN
It's the default on a lot of stuff, but still nice to have.
2020-09-18 23:29:04 +01:00
Patrick Schleizer
98c0decaa4
bumped changelog version 2020-08-03 09:43:43 -04:00
Patrick Schleizer
7e267ab498
fix, allow group sudo and console to use consoles
fix /etc/security/access-security-misc.conf syntax error

Thanks to @81a989 for the bug report!

https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/31
2020-08-03 08:12:19 -04:00
Patrick Schleizer
b09f5ddc15
bumped changelog version 2020-07-29 08:33:07 -04:00
Patrick Schleizer
ac8bc4f006
readme 2020-07-29 06:30:07 -04:00
Patrick Schleizer
861f9d1022
bumped changelog version 2020-05-14 13:57:32 -04:00
Patrick Schleizer
3cd7b144bb
move "kernel.printk = 3 3 3 3" to separate file /etc/sysctl.d/30_silent-kernel-printk.conf
so package debug-misc can easily disable it

https://phabricator.whonix.org/T950
2020-05-14 13:47:58 -04:00
Patrick Schleizer
81cb6ad246
bumped changelog version 2020-04-23 12:27:25 -04:00
Patrick Schleizer
6485df8126
Prevent kernel info leaks in console during boot.
add kernel parameter `quiet loglevel=0`

https://phabricator.whonix.org/T950
2020-04-23 12:26:31 -04:00
Patrick Schleizer
aa5631b02b
bumped changelog version 2020-04-16 08:43:40 -04:00
Patrick Schleizer
8d2e4b68dc
Prevent kernel info leaks in console during boot.
By setting `kernel.printk = 3 3 3 3`.

https://phabricator.whonix.org/T950

Thanks to @madaidan for the suggestion!
2020-04-16 08:00:31 -04:00
Patrick Schleizer
4898a9e753
fix, sysctl-initramfs: switch log to /run/initramfs/sysctl-initramfs-error.log
since ephemeral, in RAM, not written to disk, no conflict with grub-live

https://forums.whonix.org/t/kernel-hardening/7296/435
2020-04-16 07:54:33 -04:00
Patrick Schleizer
701da5f6cc
formatting 2020-04-16 07:24:44 -04:00
Patrick Schleizer
cb51847085
readme 2020-04-15 14:05:37 -04:00
Patrick Schleizer
df218ad658
bumped changelog version 2020-04-14 12:40:31 -04:00
Patrick Schleizer
8851c9ed29
fix: disable proc-hidepid.service 2020-04-14 12:39:34 -04:00
Patrick Schleizer
b6dde34bfb
bumped changelog version 2020-04-13 06:56:34 -04:00
Patrick Schleizer
e0b8640fb9
readme 2020-04-13 06:56:34 -04:00
Patrick Schleizer
253578afdf
/etc/security/access-security-misc.conf white list ttyS0 etc.
ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9

Thanks to @subpar_marlin for the bug report and helping to fix this!

https://forums.whonix.org/t/how-do-i-enter-the-whonix-shell-from-cli/7271/43

https://forums.whonix.org/t/etc-security-hardening/8592
2020-04-13 06:50:32 -04:00
Patrick Schleizer
b3ce18f0f9
disable proc-hidepid by default because incompatible with pkexec
and undo pkexec wrapper
2020-04-12 16:54:10 -04:00
Patrick Schleizer
4429315291
disable proc-hidepid by default because incompatible with pkexec
and undo pkexec wrapper
2020-04-12 16:52:55 -04:00
Patrick Schleizer
72be31e870
disable proc-hidepid by default because incompatible with pkexec
and undo pkexec wrapper
2020-04-12 16:48:13 -04:00
Patrick Schleizer
938e929f39
add pkexec to suid default whitelist
/usr/bin/pkexec exactwhitelist
/usr/bin/pkexec.security-misc-orig exactwhitelist
2020-04-12 16:37:51 -04:00