Patrick Schleizer
9d77d88a4d
comments
2019-12-23 09:39:50 -05:00
Patrick Schleizer
3e131174d5
comments
2019-12-23 05:00:35 -05:00
Patrick Schleizer
9f072ce4f9
comment
2019-12-23 03:46:02 -05:00
Patrick Schleizer
26fe9394ff
disable lockdown for now due to module loading
2019-12-23 03:41:54 -05:00
madaidan
535c258b83
More kernel hardening
2019-12-23 03:35:07 -05:00
Patrick Schleizer
11b4192fbd
comments
2019-12-23 03:28:42 -05:00
Patrick Schleizer
2152fa2d61
comment
2019-12-23 02:38:53 -05:00
Patrick Schleizer
f8f2e6c704
fix disablewhitelist feature
2019-12-23 02:35:13 -05:00
Patrick Schleizer
47ddcad0c0
rename keyword whitelist to exactwhitelist
...
add new keyword disablewhitelist
refactoring
2019-12-23 02:29:47 -05:00
Patrick Schleizer
1ff56625a1
polkit-agent-helper-1 matchwhitelist to match both
...
- /usr/lib/policykit-1/polkit-agent-helper-1 matchwhitelist
- /lib/policykit-1/polkit-agent-helper-1
2019-12-23 01:42:03 -05:00
Patrick Schleizer
d484b299ea
matchwhitelist /qubes/qfile-unpacker to match both
...
- /usr/lib/qubes/qfile-unpacker whitelist
- /lib/qubes/qfile-unpacker
2019-12-23 01:38:31 -05:00
Patrick Schleizer
58a4e0bc7d
dbus-daemon-launch-helper matchwhitelist
2019-12-22 19:12:10 -05:00
Patrick Schleizer
15e3a2832d
comment
2019-12-22 18:57:23 -05:00
Patrick Schleizer
6eb8fd257a
suid utempter/utempter matchwhitelist
...
to cover both:
/usr/lib/x86_64-linux-gnu/utempter/utempter
/lib/x86_64-linux-gnu/utempter/utempter
2019-12-22 18:56:36 -05:00
Patrick Schleizer
bce02ffdc0
Merge pull request #47 from madaidan/msr
...
Blacklist CPU MSRs
2019-12-22 15:26:07 +00:00
madaidan
dd93b11321
Blacklist CPU MSRs
2019-12-22 13:52:43 +00:00
Patrick Schleizer
2ddf7b5db5
/lib/ nosuid
2019-12-21 14:06:51 -05:00
Patrick Schleizer
2350e0f5d0
Merge remote-tracking branch 'origin/master'
2019-12-21 06:57:10 -05:00
Patrick Schleizer
efd65a3f15
Merge pull request #45 from madaidan/apparmor
...
Delete apparmor profiles
2019-12-21 11:56:31 +00:00
Patrick Schleizer
3ea587187e
no need to exclude xorg nosuid on Debian
...
http://forums.whonix.org/t/permission-hardening/8655/25
2019-12-21 06:53:07 -05:00
madaidan
c28ddf5c4d
Delete usr.lib.security-misc.pam_tally2-info
2019-12-20 22:44:31 +00:00
madaidan
cfe69dd669
Delete usr.lib.security-misc.permission-lockdown
2019-12-20 22:44:27 +00:00
Patrick Schleizer
d220bb3bc4
suid /usr/lib/chromium/chrome-sandbox whitelist
2019-12-20 13:07:01 -05:00
Patrick Schleizer
77b3dd5d6b
comments
2019-12-20 13:02:33 -05:00
Patrick Schleizer
d7bd477e73
add "/usr/lib/xorg/Xorg.wrap whitelist"
...
until this is researched
https://manpages.debian.org/buster/xserver-xorg-legacy/Xorg.wrap.1.en.html
https://lwn.net/Articles/590315/
2019-12-20 12:59:27 -05:00
Patrick Schleizer
17e8605119
add matchwhitelist feature
...
add "/usr/lib/virtualbox/ matchwhitelist"
2019-12-20 12:57:24 -05:00
Patrick Schleizer
3fab387669
suid /usr/bin/firejail whitelist
...
There is a controversy about firejail but those who choose to install it
should be able to use it.
https://www.whonix.org/wiki/Dev/Firejail#Security
2019-12-20 12:50:35 -05:00
Patrick Schleizer
d3f16a5bf4
sgid /usr/lib/qubes/qfile-unpacker whitelist
2019-12-20 12:47:10 -05:00
Patrick Schleizer
508ec0c6fa
comment
2019-12-20 12:34:07 -05:00
Patrick Schleizer
1b569ea790
comment
2019-12-20 12:32:36 -05:00
Patrick Schleizer
e28da89253
/bin/sudo whitelist / /bin/bwrap whitelist
2019-12-20 09:48:06 -05:00
Patrick Schleizer
6d30e3b4a2
do not remove suid from whitelisted binaries ever
...
https://forums.whonix.org/t/permission-hardening/8655/13
2019-12-20 08:13:23 -05:00
Patrick Schleizer
48fe7312bf
update config
2019-12-20 05:57:41 -05:00
Patrick Schleizer
87d820d84c
comment
2019-12-20 05:54:16 -05:00
Patrick Schleizer
46466c12ad
parse drop-in config folder rather than only one config file
2019-12-20 05:49:11 -05:00
Patrick Schleizer
6c8127e3cd
remove "/lib/ nosuid" from permission hardening
...
Takes 1 minute to parse. No SUID binaries there by default.
remount-secure mounts it with nosuid anyhow.
Therefore no processing it here.
2019-12-20 05:29:37 -05:00
Patrick Schleizer
788a2c1ba3
comment
2019-12-20 03:45:01 -05:00
madaidan
9df7407286
Remove SUID bits
2019-12-19 17:01:33 +00:00
Patrick Schleizer
729fa26eca
use pam_acccess only for /etc/pam.d/login
...
remove "Allow members of group 'ssh' to login."
remove "+:ssh:ALL EXCEPT LOCAL"
2019-12-12 09:00:08 -05:00
madaidan
6c564f6e95
Create permission-hardening.conf
2019-12-08 16:50:11 +00:00
Patrick Schleizer
9432d16378
/usr/bin/cat mrix,
2019-12-07 12:13:42 -05:00
Patrick Schleizer
c1800b13fe
separate group "ssh" for incoming ssh console permission
...
Thanks to @madaidan
https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/16
2019-12-07 11:26:39 -05:00
Patrick Schleizer
8636d2f629
add securetty
2019-12-07 06:51:10 -05:00
Patrick Schleizer
8b3f5a555b
add console lockdown to pam info output
2019-12-07 06:25:45 -05:00
Patrick Schleizer
021b06dac9
add hvc0 to hvc9
2019-12-07 06:04:45 -05:00
Patrick Schleizer
8a59662a44
comment
2019-12-07 06:02:45 -05:00
Patrick Schleizer
cda6724755
add pts/0 to pts/9
2019-12-07 05:56:57 -05:00
Patrick Schleizer
218cbddba9
comment
2019-12-07 05:52:06 -05:00
Patrick Schleizer
6479c883bf
Console Lockdown.
...
Allow members of group 'console' to use tty1 to tty7. Everyone else except
members of group 'console-unrestricted' are restricted from using console
using ancient, unpopular login methods such as using /bin/login over networks,
which might be exploitable. (CVE-2001-0797)
Not enabled by default in this package since this package does not know which
users shall be added to group 'console'.
In new Whonix builds, user 'user" will be added to group 'console' and
pam console-lockdown enabled by package anon-base-files.
/usr/share/pam-configs/console-lockdown
/etc/security/access-security-misc.conf
https://forums.whonix.org/t/etc-security-hardening/8592
2019-12-07 05:40:20 -05:00
Patrick Schleizer
8cf5ed990a
comment
2019-12-05 15:52:24 -05:00