Commit Graph

47 Commits

Author SHA1 Message Date
Patrick Schleizer
6aa55698ab
delete legacy folder /etc/permission-hardening.d if empty
https://github.com/Kicksecure/security-misc/pull/181
2024-01-16 09:10:59 -05:00
Patrick Schleizer
ed7c09fc46
permission-hardening -> permission-hardener migration
mv --verbose /var/lib/permission-hardening /var/lib/permission-hardener

https://github.com/Kicksecure/security-misc/pull/181
2024-01-16 08:45:13 -05:00
Patrick Schleizer
a90cd43631
fix postinst for new permission-hardener
https://github.com/Kicksecure/security-misc/pull/181
2024-01-16 08:32:52 -05:00
Ben Grande
abf72c2ee4
Rename file permission hardening script
Hardener as the script is the agent that is hardening the file
permissions.
2024-01-02 13:34:29 +01:00
Patrick Schleizer
72f6e6bb9c
output 2023-11-06 16:28:23 -05:00
Patrick Schleizer
4a19fbae0b
move permission-hardening to /usr/bin to make it more easily accessible 2023-11-05 15:13:01 -05:00
Patrick Schleizer
5f4222c1c3
enable SUID Disabler and Permission Hardener by default
https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener

https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706
2023-10-26 12:20:48 -04:00
Patrick Schleizer
d6d79e96c9
minor mmap-rnd-bits improvements 2023-05-05 14:44:29 +00:00
Jeremy Rand
2cf105700a
postinst: Don't fail if mmap-rnd-bits fails 2023-04-24 23:07:40 +00:00
Jeremy Rand
61f63255ac
vm.mmap_rnd_bits: Fix ppc64le
Probably fixes a bunch of other non-x86_64 arches too.
2023-04-24 23:07:39 +00:00
Raja Grewal
7a4212dd76
Update copyright 2023-03-30 17:08:47 +11:00
Patrick Schleizer
2d37e3a1af
copyright 2022-05-20 14:46:38 -04:00
Patrick Schleizer
50bdd097df
move /usr/lib/security-misc to /usr/libexec/security-misc as per lintian FHS 2021-08-03 12:56:31 -04:00
Patrick Schleizer
6607c1e4bd
move /usr/lib/helper-scripts and /usr/lib/curl-scripts to /usr/libexec/helper-scripts as per lintian FHS 2021-08-03 12:48:57 -04:00
Patrick Schleizer
5a65c35479
port LKRG compatibility settings automation for VirtualBox hosts from systemd to dpkg trigger 2021-08-01 13:11:18 -04:00
Patrick Schleizer
a67007f4b7
copyright 2021-03-17 09:45:21 -04:00
Patrick Schleizer
5c81e1f23f
import from anon-gpg-conf 2020-04-06 09:25:45 -04:00
Patrick Schleizer
2ceea8d1fe
update copyright year 2020-04-01 08:49:59 -04:00
Patrick Schleizer
d2f6ac0491
fix, do user/group modifications in preinst rather than postinst 2019-12-10 03:50:23 -05:00
Patrick Schleizer
6b01e5be14
comment 2019-12-08 02:01:22 -05:00
Patrick Schleizer
52e0f104cc
comment 2019-12-08 01:59:55 -05:00
Patrick Schleizer
731d486fa0
refactoring 2019-12-08 01:58:58 -05:00
Patrick Schleizer
221a2df2a2
refactoring 2019-12-08 01:58:37 -05:00
Patrick Schleizer
b871421a54
usr/share/pam-configs/console-lockdown -> usr/share/pam-configs/console-lockdown-security-misc 2019-12-08 01:57:43 -05:00
Patrick Schleizer
d36669596f
comment 2019-12-08 01:56:30 -05:00
Patrick Schleizer
1a0f353708
comment 2019-12-08 01:47:40 -05:00
Patrick Schleizer
eed1f0a462
comment 2019-12-08 01:46:32 -05:00
Patrick Schleizer
2491b62393
refactoring, add all groups first before adding any users to any groups 2019-12-08 01:43:45 -05:00
Patrick Schleizer
c1800b13fe
separate group "ssh" for incoming ssh console permission
Thanks to @madaidan

https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/16
2019-12-07 11:26:39 -05:00
Patrick Schleizer
6479c883bf
Console Lockdown.
Allow members of group 'console' to use tty1 to tty7. Everyone else except
members of group 'console-unrestricted' are restricted from using console
using ancient, unpopular login methods such as using /bin/login over networks,
which might be exploitable. (CVE-2001-0797)

Not enabled by default in this package since this package does not know which
users shall be added to group 'console'.

In new Whonix builds, user 'user" will be added to group 'console' and
pam console-lockdown enabled by package anon-base-files.

/usr/share/pam-configs/console-lockdown

/etc/security/access-security-misc.conf

https://forums.whonix.org/t/etc-security-hardening/8592
2019-12-07 05:40:20 -05:00
Patrick Schleizer
203d5cfa68
copyright 2019-10-31 11:19:44 -04:00
madaidan
af607d5eb2
Create sysfs and cpuinfo groups 2019-10-15 21:02:03 +00:00
Patrick Schleizer
8132052ce0
run update-grub from postinst so /etc/default/grub.d changes take effect 2019-09-07 05:44:23 +00:00
Patrick Schleizer
21489111d1
run permission lockdown during pam
https://forums.whonix.org/t/change-default-umask/7416
2019-08-14 08:34:03 +00:00
Patrick Schleizer
404f597c0a
description 2019-07-31 07:29:42 +00:00
Patrick Schleizer
3f031a297d
Removes read, write and execute access for others for all users who have home
folders under folder /home by running for example "chmod o-rwx /home/user"
 during package installation or upgrade. This will be done only once per folder
 in folder /home so users who wish to relax file permissions are free to do so.
 This is to protect previously created files in user home folder which were
 previously created with lax file permissions prior installation of this
 package.
2019-07-13 16:20:14 +00:00
Patrick Schleizer
4079632d1a
remove modifying to /etc/pam.d directly (unrelased)
config-package-dev displace /etc/securetty
remove trailing spaces

https://forums.whonix.org/t/restrict-root-access/7658/31
2019-07-13 11:41:37 +00:00
Patrick Schleizer
673aab6bc2
shut up pam-auth-update 2019-07-07 22:18:47 +00:00
Patrick Schleizer
67ff83262b
move to pam-auth-update --force
--package hangs in Qubes updater since it starts whiptail for interactive dpkg configuration dialog.
2019-07-07 21:31:56 +00:00
Patrick Schleizer
91fb21aafb
Due to error:
Jul 07 20:35:39 host sudo[16090]: PAM unable to dlopen(pam_cgfs.so): /lib/security/pam_cgfs.so: cannot open shared object file: No such file or directory
Jul 07 20:35:39 host sudo[16090]: PAM adding faulty module: pam_cgfs.so

run:
pam-auth-update --package
from Debian maintainer scripts
2019-07-07 16:51:40 -04:00
Patrick Schleizer
06b86229a4
update path to pre.bsh 2019-05-12 02:58:45 -04:00
Patrick Schleizer
5b3fc2f6b9
update copyright 2018-01-29 15:22:05 +00:00
Patrick Schleizer
c3b6a44e97
update copyright 2018-01-29 15:15:17 +00:00
Patrick Schleizer
ff28f5932c
update copyright 2018-01-29 15:09:42 +00:00
Patrick Schleizer
99bb1e877e
"$@" 2017-03-06 15:00:33 +00:00
Patrick Schleizer
dfe8a569b6
override glib-compile-schemas with || true in postinst
https://phabricator.whonix.org/T500
2017-02-19 22:32:04 +00:00
Patrick Schleizer
5ba2a5b6ff
disable previews in nautilus by default for better security
copied solution by @unman

https://github.com/QubesOS/qubes-issues/issues/1108

https://github.com/QubesOS/qubes-core-agent-linux/pull/39

https://phabricator.whonix.org/T500
2017-02-19 22:25:28 +00:00