Patrick Schleizer
6aa55698ab
delete legacy folder /etc/permission-hardening.d if empty
...
https://github.com/Kicksecure/security-misc/pull/181
2024-01-16 09:10:59 -05:00
Patrick Schleizer
ed7c09fc46
permission-hardening -> permission-hardener migration
...
mv --verbose /var/lib/permission-hardening /var/lib/permission-hardener
https://github.com/Kicksecure/security-misc/pull/181
2024-01-16 08:45:13 -05:00
Patrick Schleizer
a90cd43631
fix postinst for new permission-hardener
...
https://github.com/Kicksecure/security-misc/pull/181
2024-01-16 08:32:52 -05:00
Ben Grande
abf72c2ee4
Rename file permission hardening script
...
Hardener as the script is the agent that is hardening the file
permissions.
2024-01-02 13:34:29 +01:00
Patrick Schleizer
72f6e6bb9c
output
2023-11-06 16:28:23 -05:00
Patrick Schleizer
4a19fbae0b
move permission-hardening to /usr/bin to make it more easily accessible
2023-11-05 15:13:01 -05:00
Patrick Schleizer
5f4222c1c3
enable SUID Disabler and Permission Hardener by default
...
https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener
https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706
2023-10-26 12:20:48 -04:00
Patrick Schleizer
d6d79e96c9
minor mmap-rnd-bits improvements
2023-05-05 14:44:29 +00:00
Jeremy Rand
2cf105700a
postinst: Don't fail if mmap-rnd-bits fails
2023-04-24 23:07:40 +00:00
Jeremy Rand
61f63255ac
vm.mmap_rnd_bits: Fix ppc64le
...
Probably fixes a bunch of other non-x86_64 arches too.
2023-04-24 23:07:39 +00:00
Raja Grewal
7a4212dd76
Update copyright
2023-03-30 17:08:47 +11:00
Patrick Schleizer
2d37e3a1af
copyright
2022-05-20 14:46:38 -04:00
Patrick Schleizer
50bdd097df
move /usr/lib/security-misc to /usr/libexec/security-misc as per lintian FHS
2021-08-03 12:56:31 -04:00
Patrick Schleizer
6607c1e4bd
move /usr/lib/helper-scripts and /usr/lib/curl-scripts to /usr/libexec/helper-scripts as per lintian FHS
2021-08-03 12:48:57 -04:00
Patrick Schleizer
5a65c35479
port LKRG compatibility settings automation for VirtualBox hosts from systemd to dpkg trigger
2021-08-01 13:11:18 -04:00
Patrick Schleizer
a67007f4b7
copyright
2021-03-17 09:45:21 -04:00
Patrick Schleizer
5c81e1f23f
import from anon-gpg-conf
2020-04-06 09:25:45 -04:00
Patrick Schleizer
2ceea8d1fe
update copyright year
2020-04-01 08:49:59 -04:00
Patrick Schleizer
d2f6ac0491
fix, do user/group modifications in preinst rather than postinst
2019-12-10 03:50:23 -05:00
Patrick Schleizer
6b01e5be14
comment
2019-12-08 02:01:22 -05:00
Patrick Schleizer
52e0f104cc
comment
2019-12-08 01:59:55 -05:00
Patrick Schleizer
731d486fa0
refactoring
2019-12-08 01:58:58 -05:00
Patrick Schleizer
221a2df2a2
refactoring
2019-12-08 01:58:37 -05:00
Patrick Schleizer
b871421a54
usr/share/pam-configs/console-lockdown -> usr/share/pam-configs/console-lockdown-security-misc
2019-12-08 01:57:43 -05:00
Patrick Schleizer
d36669596f
comment
2019-12-08 01:56:30 -05:00
Patrick Schleizer
1a0f353708
comment
2019-12-08 01:47:40 -05:00
Patrick Schleizer
eed1f0a462
comment
2019-12-08 01:46:32 -05:00
Patrick Schleizer
2491b62393
refactoring, add all groups first before adding any users to any groups
2019-12-08 01:43:45 -05:00
Patrick Schleizer
c1800b13fe
separate group "ssh" for incoming ssh console permission
...
Thanks to @madaidan
https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/16
2019-12-07 11:26:39 -05:00
Patrick Schleizer
6479c883bf
Console Lockdown.
...
Allow members of group 'console' to use tty1 to tty7. Everyone else except
members of group 'console-unrestricted' are restricted from using console
using ancient, unpopular login methods such as using /bin/login over networks,
which might be exploitable. (CVE-2001-0797)
Not enabled by default in this package since this package does not know which
users shall be added to group 'console'.
In new Whonix builds, user 'user" will be added to group 'console' and
pam console-lockdown enabled by package anon-base-files.
/usr/share/pam-configs/console-lockdown
/etc/security/access-security-misc.conf
https://forums.whonix.org/t/etc-security-hardening/8592
2019-12-07 05:40:20 -05:00
Patrick Schleizer
203d5cfa68
copyright
2019-10-31 11:19:44 -04:00
madaidan
af607d5eb2
Create sysfs and cpuinfo groups
2019-10-15 21:02:03 +00:00
Patrick Schleizer
8132052ce0
run update-grub from postinst so /etc/default/grub.d changes take effect
2019-09-07 05:44:23 +00:00
Patrick Schleizer
21489111d1
run permission lockdown during pam
...
https://forums.whonix.org/t/change-default-umask/7416
2019-08-14 08:34:03 +00:00
Patrick Schleizer
404f597c0a
description
2019-07-31 07:29:42 +00:00
Patrick Schleizer
3f031a297d
Removes read, write and execute access for others for all users who have home
...
folders under folder /home by running for example "chmod o-rwx /home/user"
during package installation or upgrade. This will be done only once per folder
in folder /home so users who wish to relax file permissions are free to do so.
This is to protect previously created files in user home folder which were
previously created with lax file permissions prior installation of this
package.
2019-07-13 16:20:14 +00:00
Patrick Schleizer
4079632d1a
remove modifying to /etc/pam.d directly (unrelased)
...
config-package-dev displace /etc/securetty
remove trailing spaces
https://forums.whonix.org/t/restrict-root-access/7658/31
2019-07-13 11:41:37 +00:00
Patrick Schleizer
673aab6bc2
shut up pam-auth-update
2019-07-07 22:18:47 +00:00
Patrick Schleizer
67ff83262b
move to pam-auth-update --force
...
--package hangs in Qubes updater since it starts whiptail for interactive dpkg configuration dialog.
2019-07-07 21:31:56 +00:00
Patrick Schleizer
91fb21aafb
Due to error:
...
Jul 07 20:35:39 host sudo[16090]: PAM unable to dlopen(pam_cgfs.so): /lib/security/pam_cgfs.so: cannot open shared object file: No such file or directory
Jul 07 20:35:39 host sudo[16090]: PAM adding faulty module: pam_cgfs.so
run:
pam-auth-update --package
from Debian maintainer scripts
2019-07-07 16:51:40 -04:00
Patrick Schleizer
06b86229a4
update path to pre.bsh
2019-05-12 02:58:45 -04:00
Patrick Schleizer
5b3fc2f6b9
update copyright
2018-01-29 15:22:05 +00:00
Patrick Schleizer
c3b6a44e97
update copyright
2018-01-29 15:15:17 +00:00
Patrick Schleizer
ff28f5932c
update copyright
2018-01-29 15:09:42 +00:00
Patrick Schleizer
99bb1e877e
"$@"
2017-03-06 15:00:33 +00:00
Patrick Schleizer
dfe8a569b6
override glib-compile-schemas with || true in postinst
...
https://phabricator.whonix.org/T500
2017-02-19 22:32:04 +00:00
Patrick Schleizer
5ba2a5b6ff
disable previews in nautilus by default for better security
...
copied solution by @unman
https://github.com/QubesOS/qubes-issues/issues/1108
https://github.com/QubesOS/qubes-core-agent-linux/pull/39
https://phabricator.whonix.org/T500
2017-02-19 22:25:28 +00:00