Patrick Schleizer
af8ff65f84
comment
2022-06-29 10:01:51 -04:00
Patrick Schleizer
83519a58c7
bumped changelog version
2022-06-29 09:54:27 -04:00
Patrick Schleizer
38cdf2722b
- Wipe LUKS Disk Encryption Key for Root Disk from RAM during Shutdown to defeat Cold Boot Attacks
...
- Confirm in console output if encrypted mounts (root disk) is unmounted. (Because that is a pre-condition for wiping the LUKS full disk encryption key from RAM.)
Thanks to @friedy10!
https://github.com/friedy10/dracut/tree/master/modules.d/40sdmem
https://forums.whonix.org/t/is-ram-wipe-possible-inside-whonix-cold-boot-attack-defense/5596
2022-06-29 09:32:55 -04:00
Patrick Schleizer
adca1ebdf6
bumped changelog version
2022-06-08 11:05:07 -04:00
Patrick Schleizer
616fe857f7
bumped changelog version
2022-05-25 06:07:17 -04:00
Patrick Schleizer
2d37e3a1af
copyright
2022-05-20 14:46:38 -04:00
Patrick Schleizer
0051a6935a
bumped changelog version
2022-02-10 14:06:54 -05:00
Patrick Schleizer
96026a5e90
bumped changelog version
2021-09-14 14:18:52 -04:00
Patrick Schleizer
03276fbec5
bumped changelog version
2021-09-12 11:57:20 -04:00
Patrick Schleizer
64e9f0016a
bumped changelog version
2021-09-09 12:35:37 -04:00
Patrick Schleizer
d16d9a5455
bumped changelog version
2021-09-06 09:46:20 -04:00
Patrick Schleizer
bb3a3178f1
bumped changelog version
2021-09-06 04:55:23 -04:00
Patrick Schleizer
a67d1754d4
bumped changelog version
2021-09-05 16:04:28 -04:00
Patrick Schleizer
1b09d56718
bumped changelog version
2021-09-04 18:29:00 -04:00
Patrick Schleizer
1a10293b04
bumped changelog version
2021-09-04 12:00:55 -04:00
Patrick Schleizer
e2810f348b
Depends: libpam-modules-bin
2021-09-04 11:50:31 -04:00
Patrick Schleizer
3c64ec8f91
bumped changelog version
2021-09-02 14:36:53 -04:00
Patrick Schleizer
224ae730c1
bumped changelog version
2021-08-22 05:32:18 -04:00
Patrick Schleizer
ef2b067c03
bumped changelog version
2021-08-17 15:24:12 -04:00
Patrick Schleizer
8676beef90
bumped changelog version
2021-08-10 18:26:32 -04:00
Patrick Schleizer
582492d6d8
port from pam_tally2 to pam_faillock
...
since pam_tally2 was deprecated upstream
2021-08-10 17:13:00 -04:00
Patrick Schleizer
6376bbff80
bumped changelog version
2021-08-05 17:03:43 -04:00
Patrick Schleizer
3756016f42
lintian --suppress-tags obsolete-command-in-modprobe.d-file
...
https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/24
2021-08-03 13:04:34 -04:00
Patrick Schleizer
50bdd097df
move /usr/lib/security-misc to /usr/libexec/security-misc as per lintian FHS
2021-08-03 12:56:31 -04:00
Patrick Schleizer
6607c1e4bd
move /usr/lib/helper-scripts and /usr/lib/curl-scripts to /usr/libexec/helper-scripts as per lintian FHS
2021-08-03 12:48:57 -04:00
Patrick Schleizer
5e3338f8d3
bullseye
2021-08-03 05:48:25 -04:00
Patrick Schleizer
82f3961a71
bumped changelog version
2021-08-01 13:12:08 -04:00
Patrick Schleizer
5a65c35479
port LKRG compatibility settings automation for VirtualBox hosts from systemd to dpkg trigger
2021-08-01 13:11:18 -04:00
Patrick Schleizer
f03c7978c7
bumped changelog version
2021-07-25 11:31:45 -04:00
Patrick Schleizer
3ebe9e7c53
bumped changelog version
2021-07-24 18:10:06 -04:00
Patrick Schleizer
0f86ffef04
bumped changelog version
2021-06-23 11:20:39 -04:00
Patrick Schleizer
0f3dbfc4a1
bumped changelog version
2021-06-20 10:16:57 -04:00
Patrick Schleizer
419f1d89c2
bumped changelog version
2021-06-07 12:13:37 -04:00
Patrick Schleizer
0305baf211
bumped changelog version
2021-06-01 07:36:59 -04:00
Patrick Schleizer
5bd59991cb
bumped changelog version
2021-05-05 08:37:56 -04:00
Patrick Schleizer
6e759f9196
config-package-dev displace /etc/dkms/framework.conf
...
https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58
2021-04-29 11:17:30 -04:00
Patrick Schleizer
1d35bdf291
bumped changelog version
2021-04-05 11:58:47 -04:00
Patrick Schleizer
e8ea94325b
bumped changelog version
2021-03-17 12:31:34 -04:00
Patrick Schleizer
a67007f4b7
copyright
2021-03-17 09:45:21 -04:00
Patrick Schleizer
0c4a7207e4
bumped changelog version
2021-03-04 07:09:01 -05:00
Patrick Schleizer
7f30d70295
bumped changelog version
2021-02-06 06:31:45 -05:00
Patrick Schleizer
3120ff3ec9
bumped changelog version
2021-01-29 23:37:03 -05:00
Patrick Schleizer
d9aaf59105
bumped changelog version
2021-01-28 02:15:46 -05:00
Patrick Schleizer
f2595cc254
bumped changelog version
2021-01-27 05:50:16 -05:00
Patrick Schleizer
480f74cab6
bumped changelog version
2021-01-24 05:10:36 -05:00
Patrick Schleizer
126c31c37d
bumped changelog version
2021-01-19 19:41:43 -05:00
Patrick Schleizer
611fbe2c61
description
2021-01-18 05:39:34 -05:00
Patrick Schleizer
0e8ea5eb72
bumped changelog version
2021-01-14 02:36:49 -05:00
Patrick Schleizer
353e74fb5f
bumped changelog version
2021-01-05 08:30:37 -05:00
Patrick Schleizer
a4d7e46141
bumped changelog version
2020-12-10 05:20:57 -05:00
Patrick Schleizer
261ef85c14
bumped changelog version
2020-12-01 05:53:06 -05:00
Patrick Schleizer
fe27483886
bumped changelog version
2020-11-28 06:08:10 -05:00
Patrick Schleizer
0ef35f8770
bumped changelog version
2020-11-06 10:18:09 -05:00
Patrick Schleizer
f4843b1deb
bumped changelog version
2020-10-31 06:29:25 -04:00
Patrick Schleizer
b06d4ca299
bumped changelog version
2020-10-31 06:09:22 -04:00
Patrick Schleizer
881d695bff
bumped changelog version
2020-10-05 07:03:37 -04:00
madaidan
06ffd5d220
Restrict access to debugfs
2020-09-28 19:21:20 +00:00
Patrick Schleizer
feb7cea4c5
bumped changelog version
2020-09-28 10:30:42 -04:00
Patrick Schleizer
5fc7b791db
bumped changelog version
2020-09-19 09:28:27 -04:00
Patrick Schleizer
98c0decaa4
bumped changelog version
2020-08-03 09:43:43 -04:00
Patrick Schleizer
b09f5ddc15
bumped changelog version
2020-07-29 08:33:07 -04:00
Patrick Schleizer
861f9d1022
bumped changelog version
2020-05-14 13:57:32 -04:00
Patrick Schleizer
81cb6ad246
bumped changelog version
2020-04-23 12:27:25 -04:00
Patrick Schleizer
aa5631b02b
bumped changelog version
2020-04-16 08:43:40 -04:00
Patrick Schleizer
df218ad658
bumped changelog version
2020-04-14 12:40:31 -04:00
Patrick Schleizer
b6dde34bfb
bumped changelog version
2020-04-13 06:56:34 -04:00
Patrick Schleizer
72be31e870
disable proc-hidepid by default because incompatible with pkexec
...
and undo pkexec wrapper
2020-04-12 16:48:13 -04:00
Patrick Schleizer
695ad5b83d
bumped changelog version
2020-04-09 09:45:30 +00:00
Patrick Schleizer
565ff136e5
vm.swappiness=1
...
import from swappiness-lowest
https://forums.whonix.org/t/vm-swappiness-1-set-swapiness-to-lowest-setting-still-useful-swappiness-lowest/9278
2020-04-08 21:04:02 +00:00
Patrick Schleizer
642d4d8d93
bumped changelog version
2020-04-08 17:13:21 +00:00
Patrick Schleizer
a9d0baffe6
python -> python3
2020-04-08 16:57:32 +00:00
Patrick Schleizer
4153d8d088
apparmor-profile-anondist -> apparmor-profile-dist
2020-04-08 16:51:22 +00:00
Patrick Schleizer
bfd6018d8d
bumped changelog version
2020-04-08 12:51:11 +00:00
Patrick Schleizer
663811a819
anon-base-files -> dist-base-files
2020-04-08 12:04:13 +00:00
Patrick Schleizer
cc8489df2f
bumped changelog version
2020-04-06 13:29:23 -04:00
Patrick Schleizer
5c81e1f23f
import from anon-gpg-conf
2020-04-06 09:25:45 -04:00
Patrick Schleizer
1b2a34ea80
bumped changelog version
2020-04-04 16:51:42 -04:00
Patrick Schleizer
a2c932aa5a
bumped changelog version
2020-04-02 07:58:51 -04:00
Patrick Schleizer
d9f2a0e4a1
remove 'Build-Depends: ronn' since no longer required
2020-04-01 17:34:59 -04:00
Patrick Schleizer
eda9c57a62
remove genmkfile
2020-04-01 16:57:33 -04:00
Patrick Schleizer
2609fe9c3e
add debian install file
2020-04-01 16:33:29 -04:00
Patrick Schleizer
d4b2baa9b6
bumped changelog version
2020-04-01 10:58:16 -04:00
Patrick Schleizer
2ceea8d1fe
update copyright year
2020-04-01 08:49:59 -04:00
Patrick Schleizer
b6de867dec
bumped changelog version
2020-04-01 08:26:44 -04:00
Patrick Schleizer
ad022fc0b7
fix
2020-04-01 08:21:06 -04:00
Patrick Schleizer
354af7085b
bumped changelog version
2020-03-31 07:41:45 -04:00
Patrick Schleizer
a369a0a94d
bumped changelog version
2020-03-30 18:42:02 -04:00
Patrick Schleizer
c22adbd92f
notify if security-misc installation is forced
2020-03-30 18:39:23 -04:00
Patrick Schleizer
7ee5fc1b76
bumped changelog version
2020-03-30 17:16:46 -04:00
Patrick Schleizer
f663b5eff8
skip check if any non-root user is a member of group sudo and console if
...
environment variable `SECURITY_MISC_INSTALL` is set to `force`
2020-03-30 17:15:02 -04:00
Patrick Schleizer
bc22fc9fdb
skip check if any non-root user is a member of group sudo and console if file
...
/var/lib/security-misc/skip_install_check exists
2020-03-30 17:12:43 -04:00
Patrick Schleizer
d7a69628b1
bumped changelog version
2020-03-21 14:56:48 -04:00
Patrick Schleizer
e4118cb21e
bumped changelog version
2020-03-12 04:43:08 -04:00
Patrick Schleizer
04a87f7029
bumped changelog version
2020-03-08 09:43:24 -04:00
Patrick Schleizer
44351ec9b7
remove no longer needed code for installation of apparmor profiles
2020-03-07 21:44:19 -05:00
Patrick Schleizer
71ae623916
bumped changelog version
2020-03-05 08:36:27 -05:00
Patrick Schleizer
15dde15a36
typo
2020-03-03 09:42:24 -05:00
Patrick Schleizer
8887af26d6
bumped changelog version
2020-03-03 09:19:49 -05:00
Patrick Schleizer
cd19c2da00
fix lintian warning
2020-03-03 09:18:24 -05:00
Patrick Schleizer
7e3fedefb2
bumped changelog version
2020-03-03 09:12:50 -05:00
Patrick Schleizer
453aa8a4eb
Merge pull request #65 from madaidan/userfaultfd
...
Restrict the userfaultfd() syscall to root
2020-02-29 12:28:32 +00:00
Patrick Schleizer
e3e39f2235
Merge remote-tracking branch 'origin/master'
2020-02-29 05:01:41 -05:00
Patrick Schleizer
b31caefdeb
description
2020-02-29 04:59:02 -05:00
Patrick Schleizer
bd7678c574
Merge pull request #66 from madaidan/mce
...
Fix docs
2020-02-28 12:04:05 +00:00
madaidan
42d3b986c4
Update control
2020-02-27 17:41:14 +00:00
Patrick Schleizer
4043d2af3f
description
2020-02-25 02:06:48 -05:00
Patrick Schleizer
0e5187ff24
description
2020-02-25 02:00:27 -05:00
madaidan
60fbf8b0de
Update control
2020-02-24 18:24:07 +00:00
madaidan
8ea4e50c8e
Update control
2020-02-16 19:52:40 +00:00
Patrick Schleizer
01eaee997e
bumped changelog version
2020-02-15 15:35:44 -05:00
Patrick Schleizer
dce54d5d0f
bumped changelog version
2020-02-15 15:29:38 -05:00
Patrick Schleizer
1e5946c795
Merge branch 'master' into sysrq
2020-02-15 10:41:52 +00:00
madaidan
0f49736957
Update control
2020-02-14 18:18:18 +00:00
madaidan
ace6211176
Update control
2020-02-14 17:51:17 +00:00
Patrick Schleizer
ad6b766886
Merge pull request #57 from madaidan/sysctl
...
Prevent symlink/hardlink TOCTOU races
2020-02-13 18:40:58 +00:00
Patrick Schleizer
14140ad41b
bumped changelog version
2020-02-13 13:39:45 -05:00
madaidan
2796c2dd00
Update control
2020-02-12 18:43:19 +00:00
madaidan
14f8458374
Update control
2020-02-12 18:05:32 +00:00
Patrick Schleizer
163e20b886
bumped changelog version
2020-02-05 06:31:48 -05:00
Patrick Schleizer
8c5cd865f4
bumped changelog version
2020-02-03 09:23:13 -05:00
Patrick Schleizer
2291b7f787
bumped changelog version
2020-02-03 08:43:31 -05:00
Patrick Schleizer
0bd0a4a647
bumped changelog version
2020-01-30 06:14:34 -05:00
Patrick Schleizer
d69c1839cd
bumped changelog version
2020-01-30 06:02:26 -05:00
Patrick Schleizer
2711d0f7f0
bumped changelog version
2020-01-30 01:22:32 -05:00
Patrick Schleizer
c1a0da60be
set kernel boot parameter l1tf=full,force
and nosmt=force
...
https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
2020-01-30 00:46:48 -05:00
Patrick Schleizer
efc40da4fb
bumped changelog version
2020-01-24 12:02:27 -05:00
Patrick Schleizer
f4c54881ac
description
2020-01-24 04:49:19 -05:00
Patrick Schleizer
25317f23e3
bumped changelog version
2020-01-24 04:41:16 -05:00
Patrick Schleizer
c0d3726b00
comment
2020-01-24 04:40:03 -05:00
Patrick Schleizer
a37da1c968
add digits to drop-in file names
2020-01-24 04:39:06 -05:00
Patrick Schleizer
2ab940c603
bumped changelog version
2020-01-24 04:34:18 -05:00
Patrick Schleizer
3a4d283169
description
2020-01-24 04:33:30 -05:00
Patrick Schleizer
e0aa67677d
merge the many modprobe.d config files into 1
...
and use a name starting with double digits
to make it easier to disable settings using a lexically higher config file
2020-01-24 04:30:36 -05:00
Patrick Schleizer
6a4c493213
merge the many sysctl config files into 1
...
and use a name starting with double digits
to make it easier to disable settings using a lexically higher config file
2020-01-24 04:26:36 -05:00
Patrick Schleizer
f653b94e77
bumped changelog version
2020-01-24 03:49:02 -05:00
Patrick Schleizer
8616728ce0
remove duplicate
2020-01-24 03:35:15 -05:00
Patrick Schleizer
3b283ec00f
bumped changelog version
2020-01-22 07:10:47 -05:00
Patrick Schleizer
531f17cb68
add update initramfs trigger
...
https://github.com/Whonix/security-misc/pull/53
2020-01-22 07:08:31 -05:00
Patrick Schleizer
df0b2afda1
bumped changelog version
2020-01-21 10:12:32 -05:00
Patrick Schleizer
627b95e0b3
bumped changelog version
2020-01-20 08:51:25 -05:00
Patrick Schleizer
fbe9b60d95
fix Whonix / Kicksecure
...
/var/lib/dpkg/tmp.ci/preinst: ERROR: No user is a member of group 'console'. Installation aborted.
/var/lib/dpkg/tmp.ci/preinst: ERROR: You probably want to run:
sudo adduser user console
2020-01-20 08:49:02 -05:00
Patrick Schleizer
960e1ff6e8
bumped changelog version
2020-01-17 03:32:57 -05:00
madaidan
1df48a226d
Update control
2020-01-15 20:30:17 +00:00
Patrick Schleizer
e110ea0b84
bumped changelog version
2020-01-15 11:37:52 -05:00
Patrick Schleizer
0618b53464
fix lintian warning
2020-01-15 11:35:07 -05:00
Patrick Schleizer
47ce3bec75
bumped changelog version
2020-01-15 11:05:54 -05:00
Patrick Schleizer
528c5fc4c4
Merge branch 'master' into sysctl-initramfs
2020-01-15 11:02:03 +00:00
Patrick Schleizer
1059ccf225
bumped changelog version
2020-01-14 09:28:28 -05:00
Patrick Schleizer
660837dc38
fix case when user "user" does not exists
2020-01-14 09:25:32 -05:00
Patrick Schleizer
18c726c3ee
comment
2020-01-14 09:23:02 -05:00
Patrick Schleizer
b8652681e7
fix legacy
2020-01-14 09:21:47 -05:00
Patrick Schleizer
cc21f912a3
bumped changelog version
2020-01-14 09:20:36 -05:00
madaidan
0953bbe1d7
Update control
2020-01-13 21:05:35 +00:00
madaidan
9dc43eae38
Description
2020-01-12 21:42:07 +00:00
Patrick Schleizer
8341242abc
bumped changelog version
2020-01-11 15:19:29 -05:00
Patrick Schleizer
61a2d390a7
lintian
2020-01-11 15:15:12 -05:00
madaidan
6088444c37
Update control
2020-01-11 18:38:17 +00:00
Patrick Schleizer
13a1e1321e
bumped changelog version
2020-01-01 05:59:59 -05:00
Patrick Schleizer
b2bdeb9095
bumped changelog version
2019-12-31 06:08:32 -05:00
Patrick Schleizer
2a3aae62b1
fix
2019-12-31 06:06:52 -05:00
Patrick Schleizer
427deec3f5
bumped changelog version
2019-12-31 06:03:48 -05:00
Patrick Schleizer
e89552c984
add user "user" to group "console" in Whonix and Kicksecure
...
enable Console Lockdown in Whonix and Kicksecure
2019-12-31 05:55:44 -05:00
Patrick Schleizer
b5a2d1dc58
bumped changelog version
2019-12-31 02:54:58 -05:00
Patrick Schleizer
06ed728d79
bumped changelog version
2019-12-30 06:42:14 -05:00
Patrick Schleizer
e4e9c4e3b0
bumped changelog version
2019-12-30 05:59:43 -05:00
Patrick Schleizer
d7f58db52c
bumped changelog version
2019-12-27 05:30:12 -05:00
Patrick Schleizer
507a30d6e3
bumped changelog version
2019-12-24 18:35:49 -05:00
Patrick Schleizer
0326cd5ee9
bumped changelog version
2019-12-24 08:07:55 -05:00
Patrick Schleizer
7a80837b4f
bumped changelog version
2019-12-23 08:48:04 -05:00
Patrick Schleizer
bef41a38c2
bumped changelog version
2019-12-23 03:58:00 -05:00
Patrick Schleizer
9ec5b0ee82
description: lockdown not enabled yet
2019-12-23 03:38:49 -05:00
Patrick Schleizer
1ff51ee061
merge
2019-12-23 03:37:28 -05:00
Patrick Schleizer
42ff53e9ad
bumped changelog version
2019-12-23 02:42:07 -05:00
Patrick Schleizer
175d1c2845
bumped changelog version
2019-12-23 02:13:13 -05:00
Patrick Schleizer
3670fcf48b
depend on libcap2-bin for setcap / getcap / capsh
2019-12-23 00:49:33 -05:00
Patrick Schleizer
bce02ffdc0
Merge pull request #47 from madaidan/msr
...
Blacklist CPU MSRs
2019-12-22 15:26:07 +00:00
madaidan
8f11a520f4
Update control
2019-12-22 13:54:16 +00:00
Patrick Schleizer
008ce4817c
bumped changelog version
2019-12-21 14:55:03 -05:00
Patrick Schleizer
1213415ce6
bumped changelog version
2019-12-21 14:23:35 -05:00
Patrick Schleizer
1c99b56c9b
bumped changelog version
2019-12-21 07:49:55 -05:00
Patrick Schleizer
b74e5ca972
comment
2019-12-21 07:47:00 -05:00
Patrick Schleizer
0c4db8c2b0
bumped changelog version
2019-12-21 07:38:25 -05:00
Patrick Schleizer
af8b04b73d
rm_conffile /etc/apparmor.d/usr.lib.security-misc.pam_tally2-info
...
rm_conffile /etc/apparmor.d/usr.lib.security-misc.permission-lockdown
https://github.com/Whonix/security-misc/pull/45
2019-12-21 06:58:01 -05:00
Patrick Schleizer
fac17a963d
bumped changelog version
2019-12-21 06:28:19 -05:00
Patrick Schleizer
78d33d8b57
bumped changelog version
2019-12-21 06:12:20 -05:00
Patrick Schleizer
ff48b672a8
bumped changelog version
2019-12-21 06:00:17 -05:00
Patrick Schleizer
65b5adb2d7
bumped changelog version
2019-12-21 05:38:39 -05:00
Patrick Schleizer
2b5a49a61b
bumped changelog version
2019-12-21 05:31:55 -05:00
Patrick Schleizer
ed20980f4c
refactoring
2019-12-21 05:07:10 -05:00
Patrick Schleizer
89be5f2ecb
bumped changelog version
2019-12-21 02:05:39 -05:00
Patrick Schleizer
1cd5fb6a00
bumped changelog version
2019-12-20 11:50:25 -05:00
Patrick Schleizer
28d12c3966
bumped changelog version
2019-12-20 11:09:22 -05:00
Patrick Schleizer
c0ddb76d74
bumped changelog version
2019-12-20 10:50:51 -05:00
Patrick Schleizer
089c40135f
bumped changelog version
2019-12-20 08:15:00 -05:00
Patrick Schleizer
ddc0eec63d
bumped changelog version
2019-12-20 07:12:36 -05:00
Patrick Schleizer
8e112c3423
description
2019-12-20 06:53:24 -05:00
Patrick Schleizer
24ea70384b
description
2019-12-20 06:53:03 -05:00
Patrick Schleizer
6dd6530fa5
remove hardening-enable
...
please invent package security-paranoid instead
https://forums.whonix.org/t/security-hardening-tool-usr-bin-hardening-enable-by-security-misc/8609
2019-12-20 05:32:26 -05:00
Patrick Schleizer
62eb462920
skip console_users_check for Qubes users
2019-12-16 06:46:48 -05:00
Patrick Schleizer
ab68182e11
bumped changelog version
2019-12-16 06:27:51 -05:00
Patrick Schleizer
2c4170e6f3
description
2019-12-12 09:47:58 -05:00
Patrick Schleizer
2d5ef378f3
description
2019-12-12 09:39:39 -05:00
Patrick Schleizer
a10597de92
bumped changelog version
2019-12-12 09:04:15 -05:00
Patrick Schleizer
729fa26eca
use pam_acccess only for /etc/pam.d/login
...
remove "Allow members of group 'ssh' to login."
remove "+:ssh:ALL EXCEPT LOCAL"
2019-12-12 09:00:08 -05:00
Patrick Schleizer
22b6480bc4
bumped changelog version
2019-12-10 11:44:02 -05:00
Patrick Schleizer
88bea2a6ef
comment
2019-12-10 03:53:10 -05:00
Patrick Schleizer
7d8001ddc9
refactoring
2019-12-10 03:51:39 -05:00
Patrick Schleizer
d2f6ac0491
fix, do user/group modifications in preinst rather than postinst
2019-12-10 03:50:23 -05:00
Patrick Schleizer
64ae53edb9
bumped changelog version
2019-12-09 08:25:30 -05:00
Patrick Schleizer
6f944234a9
bumped changelog version
2019-12-08 05:26:29 -05:00
Patrick Schleizer
c192644ee3
security-misc /usr/share/pam-configs/permission-lockdown-security-misc
is no longer required, removed.
...
Thereby fix apparmor issue.
> Dec 08 09:47:50 host audit[3232]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=3232 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
> Dec 08 09:47:50 host sudo[3232]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied
It is no longer required, because...
existing linux user accounts:
* Get permission lock down because security-misc `debian/security-misc.postinst` calls `/usr/lib/security-misc/permission-lockdown`.
new linux user accounts (created at first boot):
* security-misc `/usr/share/pam-configs/mkhomedir-security-misc` pam mkhomedir sets secure permissions using `umask=027`.
2019-12-08 05:21:35 -05:00
Patrick Schleizer
edcc2de71d
bumped changelog version
2019-12-08 04:38:33 -05:00
Patrick Schleizer
17d81d0083
bumped changelog version
2019-12-08 04:27:01 -05:00
Patrick Schleizer
ebae9eef38
skip sudo_users_check in Qubes
...
Qubes users can use dom0 to get a root terminal emulator.
For example:
qvm-run -u root debian-10 xterm
2019-12-08 04:25:19 -05:00
Patrick Schleizer
53e4717c62
bumped changelog version
2019-12-08 04:05:29 -05:00
Patrick Schleizer
a345a0fb64
abort installation if ssh.service is enabled but no user is member of group ssh
2019-12-08 03:27:12 -05:00
Patrick Schleizer
cea598dc1a
refactoring
2019-12-08 02:43:05 -05:00
Patrick Schleizer
54f5e02c21
comment
2019-12-08 02:42:30 -05:00
Patrick Schleizer
b4265195f4
refactoring
2019-12-08 02:41:36 -05:00
Patrick Schleizer
0f65b2e85c
abort installation if no user is a member of group "console"; output
...
https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/7
2019-12-08 02:38:19 -05:00
Patrick Schleizer
1dbca1ea2d
add usr/bin/hardening-enable
2019-12-08 02:27:09 -05:00
Patrick Schleizer
24423b42f0
description
2019-12-08 02:03:05 -05:00
Patrick Schleizer
6b01e5be14
comment
2019-12-08 02:01:22 -05:00
Patrick Schleizer
66bebefc9f
description
2019-12-08 02:00:23 -05:00
Patrick Schleizer
52e0f104cc
comment
2019-12-08 01:59:55 -05:00
Patrick Schleizer
731d486fa0
refactoring
2019-12-08 01:58:58 -05:00
Patrick Schleizer
221a2df2a2
refactoring
2019-12-08 01:58:37 -05:00
Patrick Schleizer
b871421a54
usr/share/pam-configs/console-lockdown -> usr/share/pam-configs/console-lockdown-security-misc
2019-12-08 01:57:43 -05:00
Patrick Schleizer
d36669596f
comment
2019-12-08 01:56:30 -05:00
Patrick Schleizer
1a0f353708
comment
2019-12-08 01:47:40 -05:00
Patrick Schleizer
eed1f0a462
comment
2019-12-08 01:46:32 -05:00
Patrick Schleizer
2491b62393
refactoring, add all groups first before adding any users to any groups
2019-12-08 01:43:45 -05:00
Patrick Schleizer
1464f01d19
description
2019-12-08 01:30:42 -05:00
Patrick Schleizer
c1800b13fe
separate group "ssh" for incoming ssh console permission
...
Thanks to @madaidan
https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/16
2019-12-07 11:26:39 -05:00
Patrick Schleizer
55225aa30e
description
2019-12-07 07:16:07 -05:00
Patrick Schleizer
34a2bc16c8
description
2019-12-07 07:15:58 -05:00
Patrick Schleizer
d823f06c78
description
2019-12-07 07:13:42 -05:00
Patrick Schleizer
090ddbe96a
description
2019-12-07 06:00:41 -05:00
Patrick Schleizer
6479c883bf
Console Lockdown.
...
Allow members of group 'console' to use tty1 to tty7. Everyone else except
members of group 'console-unrestricted' are restricted from using console
using ancient, unpopular login methods such as using /bin/login over networks,
which might be exploitable. (CVE-2001-0797)
Not enabled by default in this package since this package does not know which
users shall be added to group 'console'.
In new Whonix builds, user 'user" will be added to group 'console' and
pam console-lockdown enabled by package anon-base-files.
/usr/share/pam-configs/console-lockdown
/etc/security/access-security-misc.conf
https://forums.whonix.org/t/etc-security-hardening/8592
2019-12-07 05:40:20 -05:00
Patrick Schleizer
52934c9288
bumped changelog version
2019-12-07 02:02:32 -05:00
Patrick Schleizer
6d92d03b31
description
2019-12-07 01:54:50 -05:00
Patrick Schleizer
0afcc5e798
bumped changelog version
2019-12-06 12:43:21 -05:00
Patrick Schleizer
af0cf058e7
bumped changelog version
2019-12-06 11:18:20 -05:00
Patrick Schleizer
bff425fec2
bumped changelog version
2019-12-06 09:32:18 -05:00
Patrick Schleizer
470cad6e91
remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in)
...
https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707
2019-12-06 05:14:02 -05:00
madaidan
af9e19c51f
Update control
2019-12-05 20:14:55 +00:00
Patrick Schleizer
0c25a96b59
description / comments
2019-12-03 02:18:32 -05:00
madaidan
8d63da3cef
Update control
2019-12-02 16:46:12 +00:00
Patrick Schleizer
6ca48fffdc
bumped changelog version
2019-11-28 10:22:41 -05:00
Patrick Schleizer
25aed91eb1
description
2019-11-28 09:20:46 -05:00