Commit Graph

316 Commits

Author SHA1 Message Date
Patrick Schleizer
78d33d8b57
bumped changelog version 2019-12-21 06:12:20 -05:00
Patrick Schleizer
ff48b672a8
bumped changelog version 2019-12-21 06:00:17 -05:00
Patrick Schleizer
65b5adb2d7
bumped changelog version 2019-12-21 05:38:39 -05:00
Patrick Schleizer
2b5a49a61b
bumped changelog version 2019-12-21 05:31:55 -05:00
Patrick Schleizer
ed20980f4c
refactoring 2019-12-21 05:07:10 -05:00
Patrick Schleizer
89be5f2ecb
bumped changelog version 2019-12-21 02:05:39 -05:00
Patrick Schleizer
1cd5fb6a00
bumped changelog version 2019-12-20 11:50:25 -05:00
Patrick Schleizer
28d12c3966
bumped changelog version 2019-12-20 11:09:22 -05:00
Patrick Schleizer
c0ddb76d74
bumped changelog version 2019-12-20 10:50:51 -05:00
Patrick Schleizer
089c40135f
bumped changelog version 2019-12-20 08:15:00 -05:00
Patrick Schleizer
ddc0eec63d
bumped changelog version 2019-12-20 07:12:36 -05:00
Patrick Schleizer
8e112c3423
description 2019-12-20 06:53:24 -05:00
Patrick Schleizer
24ea70384b
description 2019-12-20 06:53:03 -05:00
Patrick Schleizer
6dd6530fa5
remove hardening-enable
please invent package security-paranoid instead

https://forums.whonix.org/t/security-hardening-tool-usr-bin-hardening-enable-by-security-misc/8609
2019-12-20 05:32:26 -05:00
Patrick Schleizer
62eb462920
skip console_users_check for Qubes users 2019-12-16 06:46:48 -05:00
Patrick Schleizer
ab68182e11
bumped changelog version 2019-12-16 06:27:51 -05:00
Patrick Schleizer
2c4170e6f3
description 2019-12-12 09:47:58 -05:00
Patrick Schleizer
2d5ef378f3
description 2019-12-12 09:39:39 -05:00
Patrick Schleizer
a10597de92
bumped changelog version 2019-12-12 09:04:15 -05:00
Patrick Schleizer
729fa26eca
use pam_acccess only for /etc/pam.d/login
remove "Allow members of group 'ssh' to login."
remove "+:ssh:ALL EXCEPT LOCAL"
2019-12-12 09:00:08 -05:00
Patrick Schleizer
22b6480bc4
bumped changelog version 2019-12-10 11:44:02 -05:00
Patrick Schleizer
88bea2a6ef
comment 2019-12-10 03:53:10 -05:00
Patrick Schleizer
7d8001ddc9
refactoring 2019-12-10 03:51:39 -05:00
Patrick Schleizer
d2f6ac0491
fix, do user/group modifications in preinst rather than postinst 2019-12-10 03:50:23 -05:00
Patrick Schleizer
64ae53edb9
bumped changelog version 2019-12-09 08:25:30 -05:00
Patrick Schleizer
6f944234a9
bumped changelog version 2019-12-08 05:26:29 -05:00
Patrick Schleizer
c192644ee3
security-misc /usr/share/pam-configs/permission-lockdown-security-misc is no longer required, removed.
Thereby fix apparmor issue.

> Dec 08 09:47:50 host audit[3232]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=3232 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
> Dec 08 09:47:50 host sudo[3232]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied

It is no longer required, because...

existing linux user accounts:

* Get permission lock down because security-misc `debian/security-misc.postinst` calls `/usr/lib/security-misc/permission-lockdown`.

new linux user accounts (created at first boot):

* security-misc `/usr/share/pam-configs/mkhomedir-security-misc` pam mkhomedir sets secure permissions using `umask=027`.
2019-12-08 05:21:35 -05:00
Patrick Schleizer
edcc2de71d
bumped changelog version 2019-12-08 04:38:33 -05:00
Patrick Schleizer
17d81d0083
bumped changelog version 2019-12-08 04:27:01 -05:00
Patrick Schleizer
ebae9eef38
skip sudo_users_check in Qubes
Qubes users can use dom0 to get a root terminal emulator.

For example:
qvm-run -u root debian-10 xterm
2019-12-08 04:25:19 -05:00
Patrick Schleizer
53e4717c62
bumped changelog version 2019-12-08 04:05:29 -05:00
Patrick Schleizer
a345a0fb64
abort installation if ssh.service is enabled but no user is member of group ssh 2019-12-08 03:27:12 -05:00
Patrick Schleizer
cea598dc1a
refactoring 2019-12-08 02:43:05 -05:00
Patrick Schleizer
54f5e02c21
comment 2019-12-08 02:42:30 -05:00
Patrick Schleizer
b4265195f4
refactoring 2019-12-08 02:41:36 -05:00
Patrick Schleizer
0f65b2e85c
abort installation if no user is a member of group "console"; output
https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/7
2019-12-08 02:38:19 -05:00
Patrick Schleizer
1dbca1ea2d
add usr/bin/hardening-enable 2019-12-08 02:27:09 -05:00
Patrick Schleizer
24423b42f0
description 2019-12-08 02:03:05 -05:00
Patrick Schleizer
6b01e5be14
comment 2019-12-08 02:01:22 -05:00
Patrick Schleizer
66bebefc9f
description 2019-12-08 02:00:23 -05:00
Patrick Schleizer
52e0f104cc
comment 2019-12-08 01:59:55 -05:00
Patrick Schleizer
731d486fa0
refactoring 2019-12-08 01:58:58 -05:00
Patrick Schleizer
221a2df2a2
refactoring 2019-12-08 01:58:37 -05:00
Patrick Schleizer
b871421a54
usr/share/pam-configs/console-lockdown -> usr/share/pam-configs/console-lockdown-security-misc 2019-12-08 01:57:43 -05:00
Patrick Schleizer
d36669596f
comment 2019-12-08 01:56:30 -05:00
Patrick Schleizer
1a0f353708
comment 2019-12-08 01:47:40 -05:00
Patrick Schleizer
eed1f0a462
comment 2019-12-08 01:46:32 -05:00
Patrick Schleizer
2491b62393
refactoring, add all groups first before adding any users to any groups 2019-12-08 01:43:45 -05:00
Patrick Schleizer
1464f01d19
description 2019-12-08 01:30:42 -05:00
Patrick Schleizer
c1800b13fe
separate group "ssh" for incoming ssh console permission
Thanks to @madaidan

https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/16
2019-12-07 11:26:39 -05:00