Commit Graph

170 Commits

Author SHA1 Message Date
Patrick Schleizer
cd19c2da00
fix lintian warning 2020-03-03 09:18:24 -05:00
Patrick Schleizer
453aa8a4eb
Merge pull request #65 from madaidan/userfaultfd
Restrict the userfaultfd() syscall to root
2020-02-29 12:28:32 +00:00
Patrick Schleizer
e3e39f2235
Merge remote-tracking branch 'origin/master' 2020-02-29 05:01:41 -05:00
Patrick Schleizer
b31caefdeb
description 2020-02-29 04:59:02 -05:00
Patrick Schleizer
bd7678c574
Merge pull request #66 from madaidan/mce
Fix docs
2020-02-28 12:04:05 +00:00
madaidan
42d3b986c4
Update control 2020-02-27 17:41:14 +00:00
Patrick Schleizer
4043d2af3f
description 2020-02-25 02:06:48 -05:00
Patrick Schleizer
0e5187ff24
description 2020-02-25 02:00:27 -05:00
madaidan
60fbf8b0de
Update control 2020-02-24 18:24:07 +00:00
madaidan
8ea4e50c8e
Update control 2020-02-16 19:52:40 +00:00
Patrick Schleizer
1e5946c795
Merge branch 'master' into sysrq 2020-02-15 10:41:52 +00:00
madaidan
0f49736957
Update control 2020-02-14 18:18:18 +00:00
madaidan
ace6211176
Update control 2020-02-14 17:51:17 +00:00
Patrick Schleizer
ad6b766886
Merge pull request #57 from madaidan/sysctl
Prevent symlink/hardlink TOCTOU races
2020-02-13 18:40:58 +00:00
madaidan
2796c2dd00
Update control 2020-02-12 18:43:19 +00:00
madaidan
14f8458374
Update control 2020-02-12 18:05:32 +00:00
Patrick Schleizer
c1a0da60be
set kernel boot parameter l1tf=full,force and nosmt=force
https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
2020-01-30 00:46:48 -05:00
Patrick Schleizer
f4c54881ac
description 2020-01-24 04:49:19 -05:00
Patrick Schleizer
a37da1c968
add digits to drop-in file names 2020-01-24 04:39:06 -05:00
Patrick Schleizer
3a4d283169
description 2020-01-24 04:33:30 -05:00
Patrick Schleizer
8616728ce0
remove duplicate 2020-01-24 03:35:15 -05:00
madaidan
1df48a226d
Update control 2020-01-15 20:30:17 +00:00
Patrick Schleizer
0618b53464
fix lintian warning 2020-01-15 11:35:07 -05:00
Patrick Schleizer
528c5fc4c4
Merge branch 'master' into sysctl-initramfs 2020-01-15 11:02:03 +00:00
madaidan
0953bbe1d7
Update control 2020-01-13 21:05:35 +00:00
madaidan
9dc43eae38
Description 2020-01-12 21:42:07 +00:00
Patrick Schleizer
61a2d390a7
lintian 2020-01-11 15:15:12 -05:00
madaidan
6088444c37
Update control 2020-01-11 18:38:17 +00:00
Patrick Schleizer
9ec5b0ee82
description: lockdown not enabled yet 2019-12-23 03:38:49 -05:00
Patrick Schleizer
1ff51ee061
merge 2019-12-23 03:37:28 -05:00
Patrick Schleizer
3670fcf48b
depend on libcap2-bin for setcap / getcap / capsh 2019-12-23 00:49:33 -05:00
madaidan
8f11a520f4
Update control 2019-12-22 13:54:16 +00:00
Patrick Schleizer
b74e5ca972
comment 2019-12-21 07:47:00 -05:00
Patrick Schleizer
ed20980f4c
refactoring 2019-12-21 05:07:10 -05:00
Patrick Schleizer
8e112c3423
description 2019-12-20 06:53:24 -05:00
Patrick Schleizer
24ea70384b
description 2019-12-20 06:53:03 -05:00
Patrick Schleizer
2c4170e6f3
description 2019-12-12 09:47:58 -05:00
Patrick Schleizer
2d5ef378f3
description 2019-12-12 09:39:39 -05:00
Patrick Schleizer
c192644ee3
security-misc /usr/share/pam-configs/permission-lockdown-security-misc is no longer required, removed.
Thereby fix apparmor issue.

> Dec 08 09:47:50 host audit[3232]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=3232 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
> Dec 08 09:47:50 host sudo[3232]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied

It is no longer required, because...

existing linux user accounts:

* Get permission lock down because security-misc `debian/security-misc.postinst` calls `/usr/lib/security-misc/permission-lockdown`.

new linux user accounts (created at first boot):

* security-misc `/usr/share/pam-configs/mkhomedir-security-misc` pam mkhomedir sets secure permissions using `umask=027`.
2019-12-08 05:21:35 -05:00
Patrick Schleizer
1dbca1ea2d
add usr/bin/hardening-enable 2019-12-08 02:27:09 -05:00
Patrick Schleizer
24423b42f0
description 2019-12-08 02:03:05 -05:00
Patrick Schleizer
66bebefc9f
description 2019-12-08 02:00:23 -05:00
Patrick Schleizer
b871421a54
usr/share/pam-configs/console-lockdown -> usr/share/pam-configs/console-lockdown-security-misc 2019-12-08 01:57:43 -05:00
Patrick Schleizer
1464f01d19
description 2019-12-08 01:30:42 -05:00
Patrick Schleizer
55225aa30e
description 2019-12-07 07:16:07 -05:00
Patrick Schleizer
34a2bc16c8
description 2019-12-07 07:15:58 -05:00
Patrick Schleizer
d823f06c78
description 2019-12-07 07:13:42 -05:00
Patrick Schleizer
090ddbe96a
description 2019-12-07 06:00:41 -05:00
Patrick Schleizer
6479c883bf
Console Lockdown.
Allow members of group 'console' to use tty1 to tty7. Everyone else except
members of group 'console-unrestricted' are restricted from using console
using ancient, unpopular login methods such as using /bin/login over networks,
which might be exploitable. (CVE-2001-0797)

Not enabled by default in this package since this package does not know which
users shall be added to group 'console'.

In new Whonix builds, user 'user" will be added to group 'console' and
pam console-lockdown enabled by package anon-base-files.

/usr/share/pam-configs/console-lockdown

/etc/security/access-security-misc.conf

https://forums.whonix.org/t/etc-security-hardening/8592
2019-12-07 05:40:20 -05:00
Patrick Schleizer
6d92d03b31
description 2019-12-07 01:54:50 -05:00