Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity
754 Commits 2 Branches 291 Tags 8.2 MiB
918cbb4e25
Commit Graph

206 Commits

Author SHA1 Message Date
Patrick Schleizer
b55913637b
silence output by mount/grep 2019-10-22 08:54:48 -04:00
Patrick Schleizer
a1154170c9
Call original pkexec in case there are no arguments. 2019-10-22 08:54:17 -04:00
Patrick Schleizer
1e4d0ea1d0
fix lintian warning 2019-10-21 09:55:05 +00:00
Patrick Schleizer
343d9cc916
fix 2019-10-21 09:53:55 +00:00
Patrick Schleizer
40707e70db
Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid. 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040

https://forums.whonix.org/t/cannot-use-pkexec/8129

Thanks to AnonymousUser for the bug report!
 2019-10-21 05:46:49 -04:00
Patrick Schleizer
a5045dc26e
set -e 2019-10-17 06:18:32 -04:00
Patrick Schleizer
4aba027566
syntax check 2019-10-17 06:12:36 -04:00
Patrick Schleizer
8b9aa8841a
fix 2019-10-17 06:11:01 -04:00
Patrick Schleizer
cfbd77040a
set "shopt -s nullglob" to avoid failing when folder /etc/hide-hardware-info.d 
does not exist or is empty
 2019-10-17 06:10:29 -04:00
Patrick Schleizer
b05663c5f6
shuffle 
https://forums.whonix.org/t/restrict-hardware-information-to-root/7329/80
 2019-10-17 06:08:55 -04:00
Patrick Schleizer
28a440091d
code simplification 2019-10-17 06:08:16 -04:00
Patrick Schleizer
3c4e261c20
remove trailing spaces 2019-10-17 06:05:23 -04:00
Patrick Schleizer
8a42c5b023
Merge pull request #34 from madaidan/whitelist 
Add a whitelist for /sys and /proc/cpuinfo
 2019-10-17 09:59:12 +00:00
madaidan
61f742304d
return 0 2019-10-16 19:46:59 +00:00
madaidan
ffba0e0179
Elaborate 2019-10-16 19:04:15 +00:00
madaidan
f08c03ab21
Restrict sysfs/cpuinfo if the whitelist is disabled 2019-10-16 15:39:23 +00:00
madaidan
6b78dbcd07
Add way to whitelist things 2019-10-15 20:57:02 +00:00
Patrick Schleizer
d2bc3a2a08
chmod +x usr/lib/security-misc/hide-hardware-info 2019-10-05 09:14:41 +00:00
madaidan
87917d2f03
Add licensing 2019-10-03 21:38:07 +00:00
madaidan
9449f5017a
Create hide-hardware-info 2019-10-03 20:45:14 +00:00
Patrick Schleizer
75258843e9
copyright 2019-09-16 13:03:43 +00:00
Patrick Schleizer
8e39cea876
comment 2019-09-16 13:03:25 +00:00
Patrick Schleizer
bac462f211
comment 2019-09-16 13:03:02 +00:00
Patrick Schleizer
bec680d4f3
pam_tally2-info: fix, do nothing when started as user "user" 
xscreensaver runs as user "user", therefore pam_tally2 cannot function.
xscreensaver has its own failed login counter.

as user "user"
/sbin/pam_tally2 -u user
pam_tally2: Error opening /var/log/tallylog for update: Permission denied
/sbin/pam_tally2: Authentication error

https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts

https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698
 2019-09-16 12:30:23 +00:00
Patrick Schleizer
0ae5c5ff14
remove umask changes since these are causing issues are are not needed anymore 
thanks to home folder permission lockdown

https://forums.whonix.org/t/change-default-umask/7416/45
 2019-08-24 12:14:22 -04:00
Patrick Schleizer
0140df8668
virusforget 2019-08-19 08:43:28 +00:00
Patrick Schleizer
113ab42568
virusforget 2019-08-19 08:31:23 +00:00
Patrick Schleizer
416906d4f9
virusforget 2019-08-19 08:19:35 +00:00
Patrick Schleizer
2d867d9fee
virusforget 2019-08-19 08:10:18 +00:00
Patrick Schleizer
8e76e6b8b3
fix 2019-08-19 07:48:12 +00:00
Patrick Schleizer
3f068f77fe
keep cache folder outside of reach of user since even user can remove files 
owned by root in its home folder
 2019-08-19 07:47:20 +00:00
Patrick Schleizer
1fa1efa58e
credits 2019-08-19 07:22:09 +00:00
Patrick Schleizer
1e026a3ebb
initial development version of VirusForget 2019-08-18 22:50:44 +00:00
Patrick Schleizer
41b2819ec8
PAM: abort on locked password 
to avoid needlessly bumping pam_tally2 counter

https://forums.whonix.org/t/restrict-root-access/7658/1
 2019-08-17 10:33:47 +00:00
Patrick Schleizer
ed90d8b025
change default umask to 027 
as per:

https://forums.whonix.org/t/change-default-umask/7416/47
 2019-08-17 09:55:20 +00:00
Patrick Schleizer
17cfcb63b6
code simplification; report locked account earlier 2019-08-16 10:50:56 -04:00
Patrick Schleizer
ff9bc1d7ea
informational output during PAM: 
* Show failed and remaining password attempts.
* Document unlock procedure if Linux user account got locked.
* Point out, that there is no password feedback for `su`.
* Explain locked (root) account if locked.
* /usr/share/pam-configs/tally2-security-misc
* /usr/lib/security-misc/pam_tally2-info
 2019-08-15 13:37:28 +00:00
Patrick Schleizer
454e135822
pam_tally2.so even_deny_root 2019-08-15 07:33:41 +00:00
Patrick Schleizer
63b476221c
use requisite rather than required to avoid asking for password needlessly 
if login will fail anyhow
 2019-08-15 07:30:56 +00:00
Patrick Schleizer
8fdc77fed5
output to stdout 2019-08-14 10:33:23 +00:00
Patrick Schleizer
547ba91d79
sanity test 2019-08-14 09:45:30 +00:00
Patrick Schleizer
799acad724
skip, if not a folder 2019-08-14 09:39:43 +00:00
Patrick Schleizer
6321ff5ad5
refactoring 2019-08-14 09:38:44 +00:00
Patrick Schleizer
15094cab4f
avoid ' character in usr/share/pam-configs; in description 2019-08-14 09:36:30 +00:00
Patrick Schleizer
97d1945e61
no log needed, informative output to stdout instead 2019-08-14 09:32:58 +00:00
Patrick Schleizer
a085d46c56
change priories so "pam_umask.so usergroups umask=006" runs before pam_exec.so /usr/lib/security-misc/permission-lockdown 2019-08-14 09:31:58 +00:00
Patrick Schleizer
f8c828b69a
output 2019-08-14 05:19:02 -04:00
Patrick Schleizer
e5da6d9699
copyright 2019-08-14 05:17:54 -04:00
Patrick Schleizer
1595789d7c
comment 2019-08-14 05:17:16 -04:00
Patrick Schleizer
ce06fdf911
formatting 2019-08-14 05:15:53 -04:00
Patrick Schleizer
21489111d1
run permission lockdown during pam 
https://forums.whonix.org/t/change-default-umask/7416
 2019-08-14 08:34:03 +00:00
Patrick Schleizer
52df8dc014
optional pam_umask.so usergroups umask=006 2019-08-14 07:37:21 +00:00
Patrick Schleizer
dbea7d1511
add hook etc/kernel/postinst.d/30_remove-system-map to remove system.map 
on kernel package upgrade;

self-document this package: during upgrade the following will be written
to stdout:

Setting up linux-image-4.19.0-5-amd64 (4.19.37-5+deb10u2) ...
/etc/kernel/postinst.d/30_remove-system-map:
removed '/boot/System.map-4.19.0-5-amd64
 2019-08-14 07:22:14 +00:00
Patrick Schleizer
2f37a66fd0
description 2019-08-11 10:31:29 +00:00
Patrick Schleizer
e83ec79a25
enable usr/share/pam-configs/mkhomedir-security-misc by default 2019-08-11 10:30:51 +00:00
Patrick Schleizer
1eb806a03e
pam_mkhomedir.so umask=006 2019-08-11 10:29:49 +00:00
Patrick Schleizer
c50eb3c9b0
add usr/share/pam-configs/mkhomedir-security-misc based on 
/usr/share/pam-configs/mkhomedir
 2019-08-11 10:28:55 +00:00
Patrick Schleizer
a2fa18c381
pam_tally2.so deny=100 
during testing, due to issues

d17e25272b

https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/12
 2019-08-10 07:07:28 -04:00
Patrick Schleizer
d17e25272b
effectively (not directly) add "required pam_tally2.so debug" to /etc/pam.d/common-account 
This is required because otherwise something like "sudo bash" would count as a
failed login for pam_tally2 even though it was successful.

https://bugzilla.redhat.com/show_bug.cgi?id=707660

https://forums.whonix.org/t/restrict-root-access/7658
 2019-08-10 06:06:39 -04:00
Patrick Schleizer
0f896a9d8d
add onerr=fail audit to pam_tally2 2019-08-10 06:05:37 -04:00
Patrick Schleizer
e076470f68
renamed: usr/share/pam-configs/usergroups -> usr/share/pam-configs/usergroups-security-misc 2019-08-01 11:04:58 +00:00
Patrick Schleizer
830111e99a
split usr/share/pam-configs/security-misc 
into
usr/share/pam-configs/tally2-security-misc
usr/share/pam-configs/wheel-security-misc
 2019-08-01 11:04:22 +00:00
Patrick Schleizer
89d32402b2
fix, do not use "," inside /usr/share/pam-configs files 2019-07-31 14:52:29 -04:00
Patrick Schleizer
cf90668756
lock user accounts after 5 failed authentication attempts using pam_tally2 2019-07-31 03:25:02 -04:00
Patrick Schleizer
3e29761560
debug at the end 2019-07-31 03:17:06 -04:00
Patrick Schleizer
5cdb3edb32
usr/share/pam-configs/wheel -> usr/share/pam-configs/security-misc 2019-07-31 03:16:41 -04:00
Patrick Schleizer
3f9437f1ec
Revert "set back to default group "root" rather than group "sudo" membership required to use su" 
This reverts commit 2f276cdb10.
 2019-07-17 14:25:19 -04:00
Patrick Schleizer
2f276cdb10
set back to default group "root" rather than group "sudo" membership required to use su 
since root login will be locked by default anyhow

Thanks to @madaidan for providing the rationale!

https://forums.whonix.org/t/restrict-root-access/7658/42
 2019-07-15 08:44:28 -04:00
Patrick Schleizer
6d1e8ac9a4
description 2019-07-14 11:16:49 +00:00
Patrick Schleizer
ffb61f43ea
fix, add 'group=sudo' and 'debug' for debugging 
https://forums.whonix.org/t/restrict-root-access/7658
 2019-07-14 11:11:59 +00:00
Patrick Schleizer
6af2d7facb
copyright 2019-07-13 18:12:25 +00:00
Patrick Schleizer
75f0ca565d
set -e 2019-07-13 18:12:04 +00:00
Patrick Schleizer
c389e13e1a
use pre.bsh 2019-07-13 17:59:49 +00:00
Patrick Schleizer
e9eb38b5db
formatting 2019-07-13 15:04:09 +00:00
Patrick Schleizer
cb668459e8
port umask from /etc/pam.d to /usr/share/pam-configs implementation 
https://forums.whonix.org/t/change-default-umask/7416
 2019-07-13 10:35:10 -04:00
Patrick Schleizer
69b97981f3
convert etc/pam.d/su.security-misc to usr/share/pam-configs/wheel 
https://forums.whonix.org/t/restrict-root-access/7658/32
 2019-07-13 12:33:51 +00:00
Patrick Schleizer
bea98474ba
chmod +x usr/lib/security-misc/panic-on-oops 2019-07-11 07:07:21 +00:00
madaidan
52c61011d4
Create panic-on-oops 2019-07-08 22:58:56 +00:00
Patrick Schleizer
a978fe1000
chmod +x usr/lib/security-misc/remove-system.map 2019-06-28 07:17:35 +00:00
madaidan
9392c8deb2
Update remove-system.map 2019-06-26 15:03:54 +00:00
madaidan
8ef0db17e6
Use a for loop to detect if System.map exists 2019-06-26 12:59:45 +00:00
madaidan
382e336f69
Create remove-system.map 2019-06-25 19:20:27 +00:00
Patrick Schleizer
f9acd890a7
lintian 2019-06-09 10:24:24 +00:00
Patrick Schleizer
c040117fe4
lintian 2019-05-12 10:50:34 +00:00
Patrick Schleizer
6ba1fb70d2
port to debian buster 2019-04-05 14:06:00 -04:00
Patrick Schleizer
811dcee2cb
fix lintian warning 2019-04-05 09:26:18 -04:00
Patrick Schleizer
5b3fc2f6b9
update copyright 2018-01-29 15:22:05 +00:00
Patrick Schleizer
c3b6a44e97
update copyright 2018-01-29 15:15:17 +00:00
Patrick Schleizer
ff28f5932c
update copyright 2018-01-29 15:09:42 +00:00
Patrick Schleizer
f6bc188485
comment 2017-02-28 15:22:54 +01:00
Patrick Schleizer
18e23af784
cleanup 2017-02-27 23:59:37 +00:00
Patrick Schleizer
6195450eb2
No longer ignore duplicate apt sources in apt-get-wrapper. 
No longer acceptable because these generate lots of noise in the terminal.
 2017-02-27 23:57:04 +00:00
Patrick Schleizer
191918027c
adjust apt-get-wrapper for Debian stretch's apt-get 2017-02-27 23:43:02 +00:00
Patrick Schleizer
2130b4c654
use python rather than unbuffer 
because unbuffer eats exit code when process is killed
 2017-02-27 23:16:32 +00:00
Patrick Schleizer
cc351165dc
apt-get-wrapper: 
- fix exit code handling
- code simplification
 2017-02-27 19:36:38 +00:00
Patrick Schleizer
5653b7732a
fix, show progress during apt-get-wrapper 
fix, propagate signals to apt-get child process
 2017-02-26 23:57:17 +00:00
Patrick Schleizer
49cde21078
Whonix 14 KDE plasma 5 fixes 
https://phabricator.whonix.org/T633
 2017-02-21 19:54:41 +00:00
Patrick Schleizer
5ba2a5b6ff
disable previews in nautilus by default for better security 
copied solution by @unman

https://github.com/QubesOS/qubes-issues/issues/1108

https://github.com/QubesOS/qubes-core-agent-linux/pull/39

https://phabricator.whonix.org/T500
 2017-02-19 22:25:28 +00:00
Patrick Schleizer
bddbba84a6
"$@" 2017-02-14 17:30:31 +00:00
Patrick Schleizer
9b0d3e34fc
add usr/lib/security-misc/apt-get-update-sanity-test 
a CVE-2016-1252 sanity test script
 2017-02-14 02:37:08 +00:00
Patrick Schleizer
90f175e117
double apt-get-update wrapper timeout from 120 to 240 seconds 
since it takes a bit longer than 120 seconds for me on a fast connection
 2017-02-08 14:26:26 +00:00
Patrick Schleizer
0cf6524f0f
apt-get-update: implement SIGINIT trap; hide 'ps' output 2016-12-25 02:33:44 +00:00
Patrick Schleizer
c4089d8d40
update path to /usr/lib/security-misc/apt-get-wrapper 2016-12-25 01:36:04 +00:00
Patrick Schleizer
7b01fb9341
remove obsolete comments 2016-12-25 01:35:17 +00:00
Patrick Schleizer
8160cfe1d7
moved apt-get-update and apt-get-wrapper from whonixcheck to security-misc 2016-12-25 01:29:31 +00:00
Patrick Schleizer
d3ccf0eeaf
initial commit 2015-12-15 02:00:24 +00:00