Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity
613 Commits 2 Branches 291 Tags 8.2 MiB
6479c883bf
Commit Graph

126 Commits

Author SHA1 Message Date
Patrick Schleizer
6479c883bf
Console Lockdown. 
Allow members of group 'console' to use tty1 to tty7. Everyone else except
members of group 'console-unrestricted' are restricted from using console
using ancient, unpopular login methods such as using /bin/login over networks,
which might be exploitable. (CVE-2001-0797)

Not enabled by default in this package since this package does not know which
users shall be added to group 'console'.

In new Whonix builds, user 'user" will be added to group 'console' and
pam console-lockdown enabled by package anon-base-files.

/usr/share/pam-configs/console-lockdown

/etc/security/access-security-misc.conf

https://forums.whonix.org/t/etc-security-hardening/8592
 2019-12-07 05:40:20 -05:00
Patrick Schleizer
5a4eda0d05
also support /usr/local/etc/remount-disable and /usr/local/etc/noexec 2019-12-07 01:53:33 -05:00
Patrick Schleizer
9b14f24d5e
refactoring 2019-12-06 11:17:32 -05:00
Patrick Schleizer
a6133f5912
output 2019-12-06 11:16:43 -05:00
Patrick Schleizer
c1ea35e2ef
output 2019-12-06 11:15:54 -05:00
Patrick Schleizer
4bec41379d
fix remount with noexec if /etc/noexec exists 2019-12-06 11:15:13 -05:00
Patrick Schleizer
470cad6e91
remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in) 
https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707
 2019-12-06 05:14:02 -05:00
Patrick Schleizer
aa5451c8cd
Lock user accounts after 50 rather than 100 failed login attempts. 
https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/19
 2019-11-25 01:39:53 -05:00
Patrick Schleizer
fe1f1b73a7
load jitterentropy_rng kernel module for better entropy collection 
https://www.whonix.org/wiki/Dev/Entropy

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927972

https://forums.whonix.org/t/jitterentropy-rngd/7204
 2019-11-23 11:20:32 +00:00
Patrick Schleizer
03e8023847
output 2019-11-22 14:11:30 -05:00
Patrick Schleizer
2e73c053b5
fix lintian warning 2019-11-09 12:55:00 +00:00
Patrick Schleizer
74293bcd2f
output 2019-11-05 01:59:25 -05:00
Patrick Schleizer
2b5b06b602
output 2019-11-05 01:59:19 -05:00
Patrick Schleizer
d6977becba
refactoring 2019-11-05 01:51:14 -05:00
Patrick Schleizer
daf0006795
comment 2019-11-05 01:50:27 -05:00
Patrick Schleizer
203d5cfa68
copyright 2019-10-31 11:19:44 -04:00
Patrick Schleizer
bce5274a15
quotes fix 2019-10-22 09:22:29 -04:00
Patrick Schleizer
e20b9e2133
better solution when using pkexec with --user: wrap sudo --user with lxqt-sudo 2019-10-22 09:08:18 -04:00
Patrick Schleizer
d4e02de43a
set SUDO_ASKPASS for pkexec wrapper when using sudo --askpass 2019-10-22 09:04:44 -04:00
Patrick Schleizer
1a65a91039
long rather than short option 2019-10-22 08:56:05 -04:00
Patrick Schleizer
b55913637b
silence output by mount/grep 2019-10-22 08:54:48 -04:00
Patrick Schleizer
a1154170c9
Call original pkexec in case there are no arguments. 2019-10-22 08:54:17 -04:00
Patrick Schleizer
1e4d0ea1d0
fix lintian warning 2019-10-21 09:55:05 +00:00
Patrick Schleizer
343d9cc916
fix 2019-10-21 09:53:55 +00:00
Patrick Schleizer
40707e70db
Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid. 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040

https://forums.whonix.org/t/cannot-use-pkexec/8129

Thanks to AnonymousUser for the bug report!
 2019-10-21 05:46:49 -04:00
Patrick Schleizer
a5045dc26e
set -e 2019-10-17 06:18:32 -04:00
Patrick Schleizer
4aba027566
syntax check 2019-10-17 06:12:36 -04:00
Patrick Schleizer
8b9aa8841a
fix 2019-10-17 06:11:01 -04:00
Patrick Schleizer
cfbd77040a
set "shopt -s nullglob" to avoid failing when folder /etc/hide-hardware-info.d 
does not exist or is empty
 2019-10-17 06:10:29 -04:00
Patrick Schleizer
b05663c5f6
shuffle 
https://forums.whonix.org/t/restrict-hardware-information-to-root/7329/80
 2019-10-17 06:08:55 -04:00
Patrick Schleizer
28a440091d
code simplification 2019-10-17 06:08:16 -04:00
Patrick Schleizer
3c4e261c20
remove trailing spaces 2019-10-17 06:05:23 -04:00
Patrick Schleizer
8a42c5b023
Merge pull request #34 from madaidan/whitelist 
Add a whitelist for /sys and /proc/cpuinfo
 2019-10-17 09:59:12 +00:00
madaidan
61f742304d
return 0 2019-10-16 19:46:59 +00:00
madaidan
ffba0e0179
Elaborate 2019-10-16 19:04:15 +00:00
madaidan
f08c03ab21
Restrict sysfs/cpuinfo if the whitelist is disabled 2019-10-16 15:39:23 +00:00
madaidan
6b78dbcd07
Add way to whitelist things 2019-10-15 20:57:02 +00:00
Patrick Schleizer
d2bc3a2a08
chmod +x usr/lib/security-misc/hide-hardware-info 2019-10-05 09:14:41 +00:00
madaidan
87917d2f03
Add licensing 2019-10-03 21:38:07 +00:00
madaidan
9449f5017a
Create hide-hardware-info 2019-10-03 20:45:14 +00:00
Patrick Schleizer
75258843e9
copyright 2019-09-16 13:03:43 +00:00
Patrick Schleizer
8e39cea876
comment 2019-09-16 13:03:25 +00:00
Patrick Schleizer
bac462f211
comment 2019-09-16 13:03:02 +00:00
Patrick Schleizer
bec680d4f3
pam_tally2-info: fix, do nothing when started as user "user" 
xscreensaver runs as user "user", therefore pam_tally2 cannot function.
xscreensaver has its own failed login counter.

as user "user"
/sbin/pam_tally2 -u user
pam_tally2: Error opening /var/log/tallylog for update: Permission denied
/sbin/pam_tally2: Authentication error

https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts

https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698
 2019-09-16 12:30:23 +00:00
Patrick Schleizer
0ae5c5ff14
remove umask changes since these are causing issues are are not needed anymore 
thanks to home folder permission lockdown

https://forums.whonix.org/t/change-default-umask/7416/45
 2019-08-24 12:14:22 -04:00
Patrick Schleizer
0140df8668
virusforget 2019-08-19 08:43:28 +00:00
Patrick Schleizer
113ab42568
virusforget 2019-08-19 08:31:23 +00:00
Patrick Schleizer
416906d4f9
virusforget 2019-08-19 08:19:35 +00:00
Patrick Schleizer
2d867d9fee
virusforget 2019-08-19 08:10:18 +00:00
Patrick Schleizer
8e76e6b8b3
fix 2019-08-19 07:48:12 +00:00