298 Commits

Author	SHA1	Message	Date
Patrick Schleizer	a10597de92	bumped changelog version	2019-12-12 09:04:15 -05:00
Patrick Schleizer	729fa26eca	use pam_acccess only for /etc/pam.d/login ... remove "Allow members of group 'ssh' to login." remove "+:ssh:ALL EXCEPT LOCAL"	2019-12-12 09:00:08 -05:00
Patrick Schleizer	22b6480bc4	bumped changelog version	2019-12-10 11:44:02 -05:00
Patrick Schleizer	88bea2a6ef	comment	2019-12-10 03:53:10 -05:00
Patrick Schleizer	7d8001ddc9	refactoring	2019-12-10 03:51:39 -05:00
Patrick Schleizer	d2f6ac0491	fix, do user/group modifications in preinst rather than postinst	2019-12-10 03:50:23 -05:00
Patrick Schleizer	64ae53edb9	bumped changelog version	2019-12-09 08:25:30 -05:00
Patrick Schleizer	6f944234a9	bumped changelog version	2019-12-08 05:26:29 -05:00
Patrick Schleizer	c192644ee3	security-misc /usr/share/pam-configs/permission-lockdown-security-misc is no longer required, removed. ... Thereby fix apparmor issue. > Dec 08 09:47:50 host audit[3232]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=3232 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 > Dec 08 09:47:50 host sudo[3232]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied It is no longer required, because... existing linux user accounts: * Get permission lock down because security-misc `debian/security-misc.postinst` calls `/usr/lib/security-misc/permission-lockdown`. new linux user accounts (created at first boot): * security-misc `/usr/share/pam-configs/mkhomedir-security-misc` pam mkhomedir sets secure permissions using `umask=027`.	2019-12-08 05:21:35 -05:00
Patrick Schleizer	edcc2de71d	bumped changelog version	2019-12-08 04:38:33 -05:00
Patrick Schleizer	17d81d0083	bumped changelog version	2019-12-08 04:27:01 -05:00
Patrick Schleizer	ebae9eef38	skip sudo_users_check in Qubes ... Qubes users can use dom0 to get a root terminal emulator. For example: qvm-run -u root debian-10 xterm	2019-12-08 04:25:19 -05:00
Patrick Schleizer	53e4717c62	bumped changelog version	2019-12-08 04:05:29 -05:00
Patrick Schleizer	a345a0fb64	abort installation if ssh.service is enabled but no user is member of group ssh	2019-12-08 03:27:12 -05:00
Patrick Schleizer	cea598dc1a	refactoring	2019-12-08 02:43:05 -05:00
Patrick Schleizer	54f5e02c21	comment	2019-12-08 02:42:30 -05:00
Patrick Schleizer	b4265195f4	refactoring	2019-12-08 02:41:36 -05:00
Patrick Schleizer	0f65b2e85c	abort installation if no user is a member of group "console"; output ... https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/7	2019-12-08 02:38:19 -05:00
Patrick Schleizer	1dbca1ea2d	add usr/bin/hardening-enable	2019-12-08 02:27:09 -05:00
Patrick Schleizer	24423b42f0	description	2019-12-08 02:03:05 -05:00
Patrick Schleizer	6b01e5be14	comment	2019-12-08 02:01:22 -05:00
Patrick Schleizer	66bebefc9f	description	2019-12-08 02:00:23 -05:00
Patrick Schleizer	52e0f104cc	comment	2019-12-08 01:59:55 -05:00
Patrick Schleizer	731d486fa0	refactoring	2019-12-08 01:58:58 -05:00
Patrick Schleizer	221a2df2a2	refactoring	2019-12-08 01:58:37 -05:00
Patrick Schleizer	b871421a54	usr/share/pam-configs/console-lockdown -> usr/share/pam-configs/console-lockdown-security-misc	2019-12-08 01:57:43 -05:00
Patrick Schleizer	d36669596f	comment	2019-12-08 01:56:30 -05:00
Patrick Schleizer	1a0f353708	comment	2019-12-08 01:47:40 -05:00
Patrick Schleizer	eed1f0a462	comment	2019-12-08 01:46:32 -05:00
Patrick Schleizer	2491b62393	refactoring, add all groups first before adding any users to any groups	2019-12-08 01:43:45 -05:00
Patrick Schleizer	1464f01d19	description	2019-12-08 01:30:42 -05:00
Patrick Schleizer	c1800b13fe	separate group "ssh" for incoming ssh console permission ... Thanks to @madaidan https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/16	2019-12-07 11:26:39 -05:00
Patrick Schleizer	55225aa30e	description	2019-12-07 07:16:07 -05:00
Patrick Schleizer	34a2bc16c8	description	2019-12-07 07:15:58 -05:00
Patrick Schleizer	d823f06c78	description	2019-12-07 07:13:42 -05:00
Patrick Schleizer	090ddbe96a	description	2019-12-07 06:00:41 -05:00
Patrick Schleizer	6479c883bf	Console Lockdown. ... Allow members of group 'console' to use tty1 to tty7. Everyone else except members of group 'console-unrestricted' are restricted from using console using ancient, unpopular login methods such as using /bin/login over networks, which might be exploitable. (CVE-2001-0797) Not enabled by default in this package since this package does not know which users shall be added to group 'console'. In new Whonix builds, user 'user" will be added to group 'console' and pam console-lockdown enabled by package anon-base-files. /usr/share/pam-configs/console-lockdown /etc/security/access-security-misc.conf https://forums.whonix.org/t/etc-security-hardening/8592	2019-12-07 05:40:20 -05:00
Patrick Schleizer	52934c9288	bumped changelog version	2019-12-07 02:02:32 -05:00
Patrick Schleizer	6d92d03b31	description	2019-12-07 01:54:50 -05:00
Patrick Schleizer	0afcc5e798	bumped changelog version	2019-12-06 12:43:21 -05:00
Patrick Schleizer	af0cf058e7	bumped changelog version	2019-12-06 11:18:20 -05:00
Patrick Schleizer	bff425fec2	bumped changelog version	2019-12-06 09:32:18 -05:00
Patrick Schleizer	470cad6e91	remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in) ... https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707	2019-12-06 05:14:02 -05:00
madaidan	af9e19c51f	Update control	2019-12-05 20:14:55 +00:00
Patrick Schleizer	0c25a96b59	description / comments	2019-12-03 02:18:32 -05:00
madaidan	8d63da3cef	Update control	2019-12-02 16:46:12 +00:00
Patrick Schleizer	6ca48fffdc	bumped changelog version	2019-11-28 10:22:41 -05:00
Patrick Schleizer	25aed91eb1	description	2019-11-28 09:20:46 -05:00
Patrick Schleizer	0c4e5df3e0	description	2019-11-28 09:18:05 -05:00
Patrick Schleizer	5ac2a6f9ac	description	2019-11-28 09:17:32 -05:00