Commit Graph

97 Commits

Author SHA1 Message Date
Patrick Schleizer
86f91e3030
revert umask 027 by default
because broken because this also happens for root while it should not

https://github.com/Kicksecure/security-misc/issues/185
2024-01-06 09:11:54 -05:00
Patrick Schleizer
5b36599c0c
/dev/, /dev/shm, /tmp
https://github.com/Kicksecure/security-misc/issues/157#issuecomment-1869073716
2023-12-29 14:57:38 -05:00
Patrick Schleizer
c86c83cef7
formatting
https://github.com/Kicksecure/security-misc/issues/157
2023-12-25 10:31:58 -05:00
Patrick Schleizer
971ff687b1
do not mount /dev/cdrom by default
https://github.com/Kicksecure/security-misc/issues/157
2023-12-25 10:30:35 -05:00
Patrick Schleizer
9fce67fcd9
remove superfluous, broken remount mount option
https://github.com/Kicksecure/security-misc/issues/157
2023-12-25 10:28:47 -05:00
Patrick Schleizer
40fd8cb608
no nofail mount option to avoid breaking the boot of a system
unit testing belongs elsewhere

https://github.com/Kicksecure/security-misc/issues/157
2023-12-25 09:51:09 -05:00
Patrick Schleizer
4aa645f29f
comment
https://github.com/Kicksecure/security-misc/issues/157
2023-12-25 09:46:33 -05:00
Patrick Schleizer
2b7aeedb4a
mount /dev/cdrom to /mnt/cdrom (instead of /mnt/cdrom0) and
nodev,nosuid,noexec

as per:
https://www.debian.org/doc/manuals/securing-debian-manual/ch04s10.en.html

https://github.com/Kicksecure/security-misc/issues/157
2023-12-25 09:44:51 -05:00
Patrick Schleizer
0d9e9780da
formatting
https://github.com/Kicksecure/security-misc/issues/157
2023-12-25 09:37:14 -05:00
Patrick Schleizer
00f9ab4394
/dev devtmpfs
https://github.com/Kicksecure/security-misc/issues/157
2023-12-25 09:36:05 -05:00
Patrick Schleizer
55709b3aa0
/tmp tmpfs
https://github.com/Kicksecure/security-misc/issues/157
2023-12-25 09:30:57 -05:00
Patrick Schleizer
b0dd967611
usrmerge
https://github.com/Kicksecure/security-misc/issues/157
2023-12-25 09:28:08 -05:00
Patrick Schleizer
269fada14a
combine bind lines
https://github.com/Kicksecure/security-misc/issues/157
2023-12-25 09:25:14 -05:00
Patrick Schleizer
039de1dc9b
add hardened fstab /usr/share/doc/security-misc/fstab-vm
to the documentation folder as an example

not directly used by security-misc

will later be used by Kicksecure VM build process

https://github.com/Kicksecure/security-misc/issues/157
2023-12-12 11:50:11 -05:00
Patrick Schleizer
3bc831a1f7
lintian 2023-11-06 16:27:29 -05:00
Patrick Schleizer
b85d48eb83
do not change default umask for root
since this causes permission issues in `/etc/`

https://github.com/Kicksecure/security-misc/pull/151
2023-11-03 10:31:59 -04:00
Patrick Schleizer
07540db90d
Revert "Revert "set default umask to 027""
This reverts commit f8913ceb2e.
2023-11-03 09:45:12 -04:00
Patrick Schleizer
f8913ceb2e
Revert "set default umask to 027"
This reverts commit cd216095eb.
2023-11-03 09:43:44 -04:00
Patrick Schleizer
cd216095eb
set default umask to 027
using package libpam-umask

https://www.debian.org/doc/manuals/securing-debian-manual/ch04s11.en.html#id-1.5.14.19

https://github.com/Kicksecure/security-misc/pull/151
2023-11-03 09:12:24 -04:00
Patrick Schleizer
a7629b98cf
fix 2023-10-22 15:40:49 -04:00
Patrick Schleizer
25760f7024
bookworm 2023-06-13 08:34:41 +00:00
Raja Grewal
7a4212dd76
Update copyright 2023-03-30 17:08:47 +11:00
Patrick Schleizer
b87d9eb865
lintian 2023-01-24 07:08:13 -05:00
Patrick Schleizer
d31c17ea04
fix 2023-01-07 14:31:14 -05:00
Patrick Schleizer
41d116aa2f
lintian 2023-01-07 14:30:12 -05:00
Patrick Schleizer
8b584c570a
lintian 2022-06-29 16:06:22 -04:00
Patrick Schleizer
1c51d15649
lintian 2022-06-29 15:23:53 -04:00
Patrick Schleizer
6eba53767f
lintian 2022-06-29 14:17:52 -04:00
Patrick Schleizer
cfae7de6a8
lintian 2022-06-29 09:58:37 -04:00
Patrick Schleizer
2d37e3a1af
copyright 2022-05-20 14:46:38 -04:00
Patrick Schleizer
be8c10496f
fix faillock implementation
dovecot / ssh are exempted
2021-09-01 15:55:53 -04:00
Patrick Schleizer
582492d6d8
port from pam_tally2 to pam_faillock
since pam_tally2 was deprecated upstream
2021-08-10 17:13:00 -04:00
Patrick Schleizer
2bf0e7471c
port from pam_tally2 to pam_faillock
since pam_tally2 was deprecated upstream
2021-08-10 15:11:01 -04:00
Patrick Schleizer
2aea74bd71
renamed: usr/libexec/security-misc/pam_tally2-info -> usr/libexec/security-misc/pam-info
renamed:    usr/libexec/security-misc/pam_tally2_not_if_x -> usr/libexec/security-misc/pam_faillock_not_if_x
renamed:    usr/share/pam-configs/tally2-security-misc -> usr/share/pam-configs/faillock-security-misc
2021-08-10 15:06:04 -04:00
Patrick Schleizer
50bdd097df
move /usr/lib/security-misc to /usr/libexec/security-misc as per lintian FHS 2021-08-03 12:56:31 -04:00
Patrick Schleizer
8eae635668
update lintian tag name 2021-08-03 11:51:31 -04:00
Patrick Schleizer
b3e34f7f43
comment 2021-07-25 11:27:07 -04:00
Patrick Schleizer
7e128636b3
improve LKRG VirtualBox host configuration
as per https://github.com/openwall/lkrg/issues/82#issuecomment-886188999
2021-07-25 11:26:20 -04:00
Patrick Schleizer
257cef24ba
add LKRG compatibility settings automation for VirtualBox hosts
https://github.com/openwall/lkrg/issues/82
2021-07-24 18:03:40 -04:00
Patrick Schleizer
a67007f4b7
copyright 2021-03-17 09:45:21 -04:00
Patrick Schleizer
9622f28e25
skip counting failed login attempts from dovecot
Failed dovecot logins should not result in account getting locked.

revert "use pam_tally2 only for login"
2021-01-27 05:49:34 -05:00
Patrick Schleizer
6757104aa4
use pam_tally2 only for login
to skip counting failed login attempts over ssh and mail login
2021-01-24 05:04:48 -05:00
Patrick Schleizer
5c81e1f23f
import from anon-gpg-conf 2020-04-06 09:25:45 -04:00
Patrick Schleizer
2ceea8d1fe
update copyright year 2020-04-01 08:49:59 -04:00
Patrick Schleizer
300f010fc2
increase priority of pam-abort-on-locked-password-security-misc
since it has its own user help output

so it shows before pam tally2 info

to avoid duplicate non-applicable help text
2019-12-12 09:29:00 -05:00
Patrick Schleizer
729fa26eca
use pam_acccess only for /etc/pam.d/login
remove "Allow members of group 'ssh' to login."
remove "+:ssh:ALL EXCEPT LOCAL"
2019-12-12 09:00:08 -05:00
Patrick Schleizer
c192644ee3
security-misc /usr/share/pam-configs/permission-lockdown-security-misc is no longer required, removed.
Thereby fix apparmor issue.

> Dec 08 09:47:50 host audit[3232]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=3232 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
> Dec 08 09:47:50 host sudo[3232]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied

It is no longer required, because...

existing linux user accounts:

* Get permission lock down because security-misc `debian/security-misc.postinst` calls `/usr/lib/security-misc/permission-lockdown`.

new linux user accounts (created at first boot):

* security-misc `/usr/share/pam-configs/mkhomedir-security-misc` pam mkhomedir sets secure permissions using `umask=027`.
2019-12-08 05:21:35 -05:00
Patrick Schleizer
c7c65fe4e7
higher priority usr/share/pam-configs/tally2-security-misc
so it can give info before pam stack gets aborted by other pam modules
2019-12-08 03:15:53 -05:00
Patrick Schleizer
19cc6d7555
pam description 2019-12-08 02:10:43 -05:00
Patrick Schleizer
b871421a54
usr/share/pam-configs/console-lockdown -> usr/share/pam-configs/console-lockdown-security-misc 2019-12-08 01:57:43 -05:00