Commit Graph

490 Commits

Author SHA1 Message Date
Patrick Schleizer
9781598632
Merge pull request #27 from madaidan/patch-21
Blacklist bluetooth
2019-08-16 14:36:00 +00:00
Patrick Schleizer
85502ad430
Merge branch 'master' into patch-21 2019-08-16 14:35:51 +00:00
Patrick Schleizer
34672b88a8
bumped changelog version 2019-08-15 15:18:02 +00:00
Patrick Schleizer
a11e3cea9e
readme 2019-08-15 15:08:48 +00:00
Patrick Schleizer
ff9bc1d7ea
informational output during PAM:
* Show failed and remaining password attempts.
* Document unlock procedure if Linux user account got locked.
* Point out, that there is no password feedback for `su`.
* Explain locked (root) account if locked.
* /usr/share/pam-configs/tally2-security-misc
* /usr/lib/security-misc/pam_tally2-info
2019-08-15 13:37:28 +00:00
Patrick Schleizer
454e135822
pam_tally2.so even_deny_root 2019-08-15 07:33:41 +00:00
Patrick Schleizer
63b476221c
use requisite rather than required to avoid asking for password needlessly
if login will fail anyhow
2019-08-15 07:30:56 +00:00
Patrick Schleizer
ce4a30d3ce
bumped changelog version 2019-08-14 11:52:26 +00:00
Patrick Schleizer
a7c25a451c
remove unneeded dependency on libpam-cgfs 2019-08-14 11:50:53 +00:00
Patrick Schleizer
633854c6be
bumped changelog version 2019-08-14 11:13:25 +00:00
Patrick Schleizer
0feb54b28e
add Depends: apparmor-profile-anondist to fix apparmor issue
sudo[19806]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied
sudo[18961]: pam_exec(sudo:session): /usr/lib/security-misc/permission-lockdown failed: exit code 13
kernel: audit: type=1400 audit(1565780860.972:224): apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=19806 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
2019-08-14 11:10:18 +00:00
Patrick Schleizer
8fdc77fed5
output to stdout 2019-08-14 10:33:23 +00:00
Patrick Schleizer
5213cfbcdc
bumped changelog version 2019-08-14 10:08:18 +00:00
Patrick Schleizer
2875adb722
readme 2019-08-14 10:07:55 +00:00
Patrick Schleizer
01b3a0bfae
description 2019-08-14 09:52:53 +00:00
Patrick Schleizer
547ba91d79
sanity test 2019-08-14 09:45:30 +00:00
Patrick Schleizer
dee195d89e
description 2019-08-14 09:40:41 +00:00
Patrick Schleizer
799acad724
skip, if not a folder 2019-08-14 09:39:43 +00:00
Patrick Schleizer
6321ff5ad5
refactoring 2019-08-14 09:38:44 +00:00
Patrick Schleizer
15094cab4f
avoid ' character in usr/share/pam-configs; in description 2019-08-14 09:36:30 +00:00
Patrick Schleizer
97d1945e61
no log needed, informative output to stdout instead 2019-08-14 09:32:58 +00:00
Patrick Schleizer
a085d46c56
change priories so "pam_umask.so usergroups umask=006" runs before pam_exec.so /usr/lib/security-misc/permission-lockdown 2019-08-14 09:31:58 +00:00
Patrick Schleizer
f8c828b69a
output 2019-08-14 05:19:02 -04:00
Patrick Schleizer
e5da6d9699
copyright 2019-08-14 05:17:54 -04:00
Patrick Schleizer
1595789d7c
comment 2019-08-14 05:17:16 -04:00
Patrick Schleizer
ce06fdf911
formatting 2019-08-14 05:15:53 -04:00
Patrick Schleizer
21489111d1
run permission lockdown during pam
https://forums.whonix.org/t/change-default-umask/7416
2019-08-14 08:34:03 +00:00
Patrick Schleizer
42f2d5f666
description 2019-08-14 07:39:28 +00:00
Patrick Schleizer
52df8dc014
optional pam_umask.so usergroups umask=006 2019-08-14 07:37:21 +00:00
Patrick Schleizer
f210294f40
description 2019-08-14 07:24:24 +00:00
Patrick Schleizer
dbea7d1511
add hook etc/kernel/postinst.d/30_remove-system-map to remove system.map
on kernel package upgrade;

self-document this package: during upgrade the following will be written
to stdout:

Setting up linux-image-4.19.0-5-amd64 (4.19.37-5+deb10u2) ...
/etc/kernel/postinst.d/30_remove-system-map:
removed '/boot/System.map-4.19.0-5-amd64
2019-08-14 07:22:14 +00:00
Patrick Schleizer
f1d8cbc9fb
bumped changelog version 2019-08-14 07:02:09 +00:00
Patrick Schleizer
41f4441d9d
readme 2019-08-14 07:01:47 +00:00
Patrick Schleizer
a82448d46a
description 2019-08-14 07:01:25 +00:00
Patrick Schleizer
ff8c097943
Merge remote-tracking branch 'origin/master' 2019-08-14 06:59:50 +00:00
Patrick Schleizer
a8ea379526
Merge pull request #28 from madaidan/patch-22
Require all loaded kernel modules to be signed with a valid key.
2019-08-14 06:59:34 +00:00
madaidan
9a49b8ecbb
Create 40_only_allow_signed_modules.cfg
Require all loaded kernel modules to be signed with a valid key.
2019-08-13 13:33:07 +00:00
Patrick Schleizer
6f8acf06d7
bumped changelog version 2019-08-11 12:07:07 +00:00
Patrick Schleizer
52cee91283
readme 2019-08-11 11:39:32 +00:00
Patrick Schleizer
aacd9c7679
description 2019-08-11 10:34:38 +00:00
Patrick Schleizer
c0b5c70de4
description 2019-08-11 10:33:22 +00:00
Patrick Schleizer
2f37a66fd0
description 2019-08-11 10:31:29 +00:00
Patrick Schleizer
e83ec79a25
enable usr/share/pam-configs/mkhomedir-security-misc by default 2019-08-11 10:30:51 +00:00
Patrick Schleizer
1eb806a03e
pam_mkhomedir.so umask=006 2019-08-11 10:29:49 +00:00
Patrick Schleizer
c50eb3c9b0
add usr/share/pam-configs/mkhomedir-security-misc based on
/usr/share/pam-configs/mkhomedir
2019-08-11 10:28:55 +00:00
Patrick Schleizer
75769151cd
bumped changelog version 2019-08-10 11:37:02 +00:00
Patrick Schleizer
a2fa18c381
pam_tally2.so deny=100
during testing, due to issues

d17e25272b

https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/12
2019-08-10 07:07:28 -04:00
Patrick Schleizer
d17e25272b
effectively (not directly) add "required pam_tally2.so debug" to /etc/pam.d/common-account
This is required because otherwise something like "sudo bash" would count as a
failed login for pam_tally2 even though it was successful.

https://bugzilla.redhat.com/show_bug.cgi?id=707660

https://forums.whonix.org/t/restrict-root-access/7658
2019-08-10 06:06:39 -04:00
Patrick Schleizer
0f896a9d8d
add onerr=fail audit to pam_tally2 2019-08-10 06:05:37 -04:00
Patrick Schleizer
a703865dcf
bumped changelog version 2019-08-01 12:02:41 +00:00