Patrick Schleizer
22b6480bc4
bumped changelog version
2019-12-10 11:44:02 -05:00
Patrick Schleizer
88bea2a6ef
comment
2019-12-10 03:53:10 -05:00
Patrick Schleizer
7d8001ddc9
refactoring
2019-12-10 03:51:39 -05:00
Patrick Schleizer
d2f6ac0491
fix, do user/group modifications in preinst rather than postinst
2019-12-10 03:50:23 -05:00
Patrick Schleizer
64ae53edb9
bumped changelog version
2019-12-09 08:25:30 -05:00
Patrick Schleizer
6f944234a9
bumped changelog version
2019-12-08 05:26:29 -05:00
Patrick Schleizer
c192644ee3
security-misc /usr/share/pam-configs/permission-lockdown-security-misc
is no longer required, removed.
...
Thereby fix apparmor issue.
> Dec 08 09:47:50 host audit[3232]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=3232 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
> Dec 08 09:47:50 host sudo[3232]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied
It is no longer required, because...
existing linux user accounts:
* Get permission lock down because security-misc `debian/security-misc.postinst` calls `/usr/lib/security-misc/permission-lockdown`.
new linux user accounts (created at first boot):
* security-misc `/usr/share/pam-configs/mkhomedir-security-misc` pam mkhomedir sets secure permissions using `umask=027`.
2019-12-08 05:21:35 -05:00
Patrick Schleizer
edcc2de71d
bumped changelog version
2019-12-08 04:38:33 -05:00
Patrick Schleizer
17d81d0083
bumped changelog version
2019-12-08 04:27:01 -05:00
Patrick Schleizer
ebae9eef38
skip sudo_users_check in Qubes
...
Qubes users can use dom0 to get a root terminal emulator.
For example:
qvm-run -u root debian-10 xterm
2019-12-08 04:25:19 -05:00
Patrick Schleizer
53e4717c62
bumped changelog version
2019-12-08 04:05:29 -05:00
Patrick Schleizer
a345a0fb64
abort installation if ssh.service is enabled but no user is member of group ssh
2019-12-08 03:27:12 -05:00
Patrick Schleizer
cea598dc1a
refactoring
2019-12-08 02:43:05 -05:00
Patrick Schleizer
54f5e02c21
comment
2019-12-08 02:42:30 -05:00
Patrick Schleizer
b4265195f4
refactoring
2019-12-08 02:41:36 -05:00
Patrick Schleizer
0f65b2e85c
abort installation if no user is a member of group "console"; output
...
https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/7
2019-12-08 02:38:19 -05:00
Patrick Schleizer
1dbca1ea2d
add usr/bin/hardening-enable
2019-12-08 02:27:09 -05:00
Patrick Schleizer
24423b42f0
description
2019-12-08 02:03:05 -05:00
Patrick Schleizer
6b01e5be14
comment
2019-12-08 02:01:22 -05:00
Patrick Schleizer
66bebefc9f
description
2019-12-08 02:00:23 -05:00
Patrick Schleizer
52e0f104cc
comment
2019-12-08 01:59:55 -05:00
Patrick Schleizer
731d486fa0
refactoring
2019-12-08 01:58:58 -05:00
Patrick Schleizer
221a2df2a2
refactoring
2019-12-08 01:58:37 -05:00
Patrick Schleizer
b871421a54
usr/share/pam-configs/console-lockdown -> usr/share/pam-configs/console-lockdown-security-misc
2019-12-08 01:57:43 -05:00
Patrick Schleizer
d36669596f
comment
2019-12-08 01:56:30 -05:00
Patrick Schleizer
1a0f353708
comment
2019-12-08 01:47:40 -05:00
Patrick Schleizer
eed1f0a462
comment
2019-12-08 01:46:32 -05:00
Patrick Schleizer
2491b62393
refactoring, add all groups first before adding any users to any groups
2019-12-08 01:43:45 -05:00
Patrick Schleizer
1464f01d19
description
2019-12-08 01:30:42 -05:00
Patrick Schleizer
c1800b13fe
separate group "ssh" for incoming ssh console permission
...
Thanks to @madaidan
https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/16
2019-12-07 11:26:39 -05:00
Patrick Schleizer
55225aa30e
description
2019-12-07 07:16:07 -05:00
Patrick Schleizer
34a2bc16c8
description
2019-12-07 07:15:58 -05:00
Patrick Schleizer
d823f06c78
description
2019-12-07 07:13:42 -05:00
Patrick Schleizer
090ddbe96a
description
2019-12-07 06:00:41 -05:00
Patrick Schleizer
6479c883bf
Console Lockdown.
...
Allow members of group 'console' to use tty1 to tty7. Everyone else except
members of group 'console-unrestricted' are restricted from using console
using ancient, unpopular login methods such as using /bin/login over networks,
which might be exploitable. (CVE-2001-0797)
Not enabled by default in this package since this package does not know which
users shall be added to group 'console'.
In new Whonix builds, user 'user" will be added to group 'console' and
pam console-lockdown enabled by package anon-base-files.
/usr/share/pam-configs/console-lockdown
/etc/security/access-security-misc.conf
https://forums.whonix.org/t/etc-security-hardening/8592
2019-12-07 05:40:20 -05:00
Patrick Schleizer
52934c9288
bumped changelog version
2019-12-07 02:02:32 -05:00
Patrick Schleizer
6d92d03b31
description
2019-12-07 01:54:50 -05:00
Patrick Schleizer
0afcc5e798
bumped changelog version
2019-12-06 12:43:21 -05:00
Patrick Schleizer
af0cf058e7
bumped changelog version
2019-12-06 11:18:20 -05:00
Patrick Schleizer
bff425fec2
bumped changelog version
2019-12-06 09:32:18 -05:00
Patrick Schleizer
470cad6e91
remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in)
...
https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707
2019-12-06 05:14:02 -05:00
madaidan
af9e19c51f
Update control
2019-12-05 20:14:55 +00:00
Patrick Schleizer
0c25a96b59
description / comments
2019-12-03 02:18:32 -05:00
madaidan
8d63da3cef
Update control
2019-12-02 16:46:12 +00:00
Patrick Schleizer
6ca48fffdc
bumped changelog version
2019-11-28 10:22:41 -05:00
Patrick Schleizer
25aed91eb1
description
2019-11-28 09:20:46 -05:00
Patrick Schleizer
0c4e5df3e0
description
2019-11-28 09:18:05 -05:00
Patrick Schleizer
5ac2a6f9ac
description
2019-11-28 09:17:32 -05:00
Patrick Schleizer
ff3412fbe0
fix, make sure to undo pam changes on package removal
...
Thanks to minimal for the bug report!
https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/11
2019-11-27 10:22:31 -05:00
Patrick Schleizer
9091f69edd
bumped changelog version
2019-11-25 08:51:36 +00:00
Patrick Schleizer
aa5451c8cd
Lock user accounts after 50 rather than 100 failed login attempts.
...
https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/19
2019-11-25 01:39:53 -05:00
Patrick Schleizer
6277db1383
bumped changelog version
2019-11-23 14:07:45 +00:00
Patrick Schleizer
fe1f1b73a7
load jitterentropy_rng kernel module for better entropy collection
...
https://www.whonix.org/wiki/Dev/Entropy
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927972
https://forums.whonix.org/t/jitterentropy-rngd/7204
2019-11-23 11:20:32 +00:00
Patrick Schleizer
e76e1475b0
comment
2019-11-22 12:24:35 -05:00
Patrick Schleizer
a99dfd067a
bumped changelog version
2019-11-19 15:31:55 +00:00
Patrick Schleizer
8ad8dbea5a
bumped changelog version
2019-11-18 19:16:16 +00:00
Patrick Schleizer
d1d61b106b
bumped changelog version
2019-11-09 18:44:50 +00:00
Patrick Schleizer
6b7df973f6
bumped changelog version
2019-11-09 12:57:45 +00:00
Patrick Schleizer
6e28774f95
bumped changelog version
2019-11-09 12:23:15 +00:00
Patrick Schleizer
b55c2fd62e
Enables punycode (network.IDN_show_punycode
) by default in Thunderbird
...
to make phising attacks more difficult. Fixing URL not showing real Domain
Name (Homograph attack).
https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415
2019-11-03 02:50:51 -05:00
Patrick Schleizer
bf62306d4f
bumped changelog version
2019-10-31 16:34:35 +00:00
Patrick Schleizer
6e5d8b357d
bumped changelog version
2019-10-31 16:06:51 +00:00
Patrick Schleizer
203d5cfa68
copyright
2019-10-31 11:19:44 -04:00
madaidan
0699747fcb
Debian packaging
2019-10-28 14:24:37 +00:00
madaidan
fe4e29d392
Depend on dh-apparmor
2019-10-28 14:22:47 +00:00
Patrick Schleizer
d832ab91bd
bumped changelog version
2019-10-23 10:22:03 +00:00
Patrick Schleizer
9c8f678cb9
bumped changelog version
2019-10-21 09:55:41 +00:00
Patrick Schleizer
2d436f3602
bumped changelog version
2019-10-21 09:51:36 +00:00
Patrick Schleizer
40707e70db
Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid.
...
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040
https://forums.whonix.org/t/cannot-use-pkexec/8129
Thanks to AnonymousUser for the bug report!
2019-10-21 05:46:49 -04:00
Patrick Schleizer
31b771ac2e
bumped changelog version
2019-10-18 10:39:43 +00:00
Patrick Schleizer
957deac5cb
fix lintian warning
...
W: security-misc: maintainer-script-should-not-parse-etc-passwd-or-group preinst:19
2019-10-18 10:38:25 +00:00
Patrick Schleizer
d301e7f365
description, fix lintian warning
2019-10-18 10:36:44 +00:00
Patrick Schleizer
ce6b64a9ba
bumped changelog version
2019-10-18 08:55:07 +00:00
Patrick Schleizer
c9d75ef9ea
abort installation if no user is part of group sudo
...
https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/4
Thanks to minimal for the bug report!
2019-10-17 06:46:47 -04:00
Patrick Schleizer
8a42c5b023
Merge pull request #34 from madaidan/whitelist
...
Add a whitelist for /sys and /proc/cpuinfo
2019-10-17 09:59:12 +00:00
madaidan
259b1f2c71
Update control
2019-10-16 19:21:24 +00:00
madaidan
af607d5eb2
Create sysfs and cpuinfo groups
2019-10-15 21:02:03 +00:00
Patrick Schleizer
4b1b3b7d66
bumped changelog version
2019-10-14 10:23:01 +00:00
Patrick Schleizer
8b4f2befd4
comment out sack by default
...
https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/8?u=patrick
2019-10-05 13:15:34 +00:00
Patrick Schleizer
02096f8d7c
Revert "undo Disabling TCP SACK, DSACK, FACK"
...
This reverts commit 5fb4eb8e56
.
2019-10-05 13:13:46 +00:00
Patrick Schleizer
62a0239207
bumped changelog version
2019-10-05 11:33:15 +00:00
Patrick Schleizer
5fb4eb8e56
undo Disabling TCP SACK, DSACK, FACK
...
https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/5
2019-10-05 07:00:47 -04:00
Patrick Schleizer
213aef6eb9
bumped changelog version
2019-10-05 09:40:26 +00:00
madaidan
ec5fcf813b
Update control
2019-10-03 20:50:48 +00:00
Patrick Schleizer
ddc778b452
bumped changelog version
2019-09-16 13:34:11 +00:00
Patrick Schleizer
c2e444479c
bumped changelog version
2019-09-15 14:08:13 +00:00
Patrick Schleizer
619550da23
description
2019-09-15 14:00:24 +00:00
Patrick Schleizer
b95b66e429
description
2019-09-15 13:56:37 +00:00
Patrick Schleizer
ae804a15e7
description
2019-09-15 13:21:02 +00:00
Patrick Schleizer
3d187dab99
bumped changelog version
2019-09-12 12:50:42 +00:00
Patrick Schleizer
f13a73e569
undo SysRq restrictions
...
https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079
2019-09-10 12:35:42 -04:00
Patrick Schleizer
1f75a10650
bumped changelog version
2019-09-09 12:10:24 +00:00
Patrick Schleizer
9d875d7c31
bumped changelog version
2019-09-07 06:11:32 +00:00
Patrick Schleizer
8132052ce0
run update-grub from postinst so /etc/default/grub.d changes take effect
2019-09-07 05:44:23 +00:00
Patrick Schleizer
661bcd8603
allow loading unsigned modules due to issues
...
https://forums.whonix.org/t/allow-loading-signed-kernel-modules-by-default-disallow-kernel-module-loading-by-default/7880/23
2019-09-07 05:39:56 +00:00
Patrick Schleizer
9ee9309f54
bumped changelog version
2019-09-06 13:04:57 +00:00
Patrick Schleizer
ea0779e42a
rm_conffile /etc/sudoers.d/umask-security-misc
2019-09-06 13:00:20 +00:00
Patrick Schleizer
3a9939dccb
bumped changelog version
2019-09-06 11:47:40 +00:00
Patrick Schleizer
5960c1682a
description
2019-09-06 11:46:22 +00:00
Patrick Schleizer
fccfacfdaf
description
2019-09-06 11:45:54 +00:00