Commit Graph

289 Commits

Author SHA1 Message Date
Patrick Schleizer
a67007f4b7
copyright 2021-03-17 09:45:21 -04:00
Patrick Schleizer
a1819e8cab
comment 2021-03-01 09:15:44 -05:00
Kenton Groombridge
4db7d6be64
hide-hardware-info: allow unrestricting selinuxfs
On SELinux systems, the /sys/fs/selinux directory must be visible to
userspace utilities in order to function properly.
2021-02-06 03:02:08 -05:00
Patrick Schleizer
af3244741d
comment 2021-01-29 23:15:52 -05:00
Patrick Schleizer
b0b7f569ee
comment 2021-01-28 02:11:54 -05:00
Patrick Schleizer
9622f28e25
skip counting failed login attempts from dovecot
Failed dovecot logins should not result in account getting locked.

revert "use pam_tally2 only for login"
2021-01-27 05:49:34 -05:00
Patrick Schleizer
c5097ed599
comment 2020-12-06 04:23:09 -05:00
Patrick Schleizer
c031f22995
SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists
`whitelists_disable_all=true`
2020-12-01 05:14:48 -05:00
Patrick Schleizer
b09cc0de6a
Revert "SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists"
This reverts commit 36a471ebce.
2020-12-01 05:10:26 -05:00
Patrick Schleizer
36a471ebce
SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists
`whitelists_disable_all=true`
2020-12-01 05:02:34 -05:00
Patrick Schleizer
28a326a8a1
add feature /usr/lib/security-misc/permission-hardening-undo /path/to/filename
to allow removing 1 SUID

fix, show INFO message if file does not exist during removal rather than ERROR
2020-11-28 05:31:12 -05:00
Patrick Schleizer
abae787186
usability: pam abort when attempting to login to root when root password is locked 2020-11-05 06:47:16 -05:00
Patrick Schleizer
581e31af81
comment 2020-11-05 06:46:57 -05:00
Patrick Schleizer
dfe9b0f6c7
fix, no longer unconditionally abort pam for user accounts with locked passwords
as locked user accounts might have valid sudoers exceptions

Thanks to @mimp for the bug report!

https://forums.whonix.org/t/pam-abort-on-locked-password-and-running-privileged-command-from-web-browser/10521
2020-11-05 06:42:47 -05:00
Patrick Schleizer
211769dc65
comment 2020-11-05 06:41:51 -05:00
Patrick Schleizer
7952139731
comment 2020-11-05 06:39:32 -05:00
Patrick Schleizer
bb72c1278d
copyright 2020-11-05 06:36:39 -05:00
Patrick Schleizer
1188a44f47
port to python 3.7 2020-04-04 16:49:30 -04:00
Patrick Schleizer
2ceea8d1fe
update copyright year 2020-04-01 08:49:59 -04:00
Patrick Schleizer
9bbae903fe
remove-system.map: lower verbosity output 2020-02-15 05:29:48 -05:00
madaidan
31009f0bfa
Shred System.map files 2020-02-14 23:46:19 +00:00
Patrick Schleizer
1f6ed2cc70
add support for passing parameters to usr/lib/security-misc/apt-get-update 2020-02-03 08:55:20 -05:00
Patrick Schleizer
8627c9f76d
/usr/lib/security-misc/apt-get-update increase default timeout_after="600" 2020-01-31 12:18:02 -05:00
Patrick Schleizer
829e28aa90
/usr/lib/security-misc/apt-get-update environment variable timeout_after kill_after support 2020-01-31 12:17:07 -05:00
Patrick Schleizer
d4a37b6df2
remove-system.map: source /usr/lib/helper-scripts/pre.bsh 2020-01-24 03:18:17 -05:00
Patrick Schleizer
18041efa2f
fix pam tally2 check when read-only disk boot without ro-mode-init or grub-live 2020-01-21 10:01:17 -05:00
Patrick Schleizer
5031e7cc4b
better output if trying to login with non-existing user 2019-12-31 08:18:38 -05:00
Patrick Schleizer
20697db3ee
improve console lockdown info output 2019-12-31 02:53:02 -05:00
Patrick Schleizer
788914de95
group ssh check was removed
https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/27
2019-12-31 02:46:32 -05:00
Patrick Schleizer
1a0f7a7733
debugging 2019-12-29 04:43:32 -05:00
Patrick Schleizer
5271892cb1
debugging 2019-12-29 04:42:54 -05:00
Patrick Schleizer
683028049c
debugging 2019-12-29 04:41:23 -05:00
Patrick Schleizer
e3e1ff2a31
exit with error if a config line cannot be processed rather than skipping
https://forums.whonix.org/t/disable-suid-binaries/7706/59
2019-12-29 04:35:46 -05:00
Patrick Schleizer
d5c99f3a60
output 2019-12-29 04:27:21 -05:00
Patrick Schleizer
04f438f75d
comment 2019-12-24 18:09:37 -05:00
Patrick Schleizer
9da0e428ed
debugging 2019-12-24 17:54:31 -05:00
Patrick Schleizer
e18ec533c3
comment 2019-12-24 17:54:02 -05:00
Patrick Schleizer
f8f2e6c704
fix disablewhitelist feature 2019-12-23 02:35:13 -05:00
Patrick Schleizer
47ddcad0c0
rename keyword whitelist to exactwhitelist
add new keyword disablewhitelist

refactoring
2019-12-23 02:29:47 -05:00
Patrick Schleizer
34bf245713
output 2019-12-23 01:35:45 -05:00
Patrick Schleizer
ba30e45d15
output 2019-12-23 01:32:42 -05:00
Patrick Schleizer
ee9c5742da
output 2019-12-23 01:29:48 -05:00
Patrick Schleizer
6d05359abc
output 2019-12-23 01:21:52 -05:00
Patrick Schleizer
a1e78e8515
fix needlessly re-adding entries 2019-12-23 01:20:56 -05:00
Patrick Schleizer
906b3d32e7
output 2019-12-23 01:09:57 -05:00
Patrick Schleizer
4f76867da6
lower debugging 2019-12-23 01:08:02 -05:00
Patrick Schleizer
dc6e5d8508
fix 2019-12-23 01:06:38 -05:00
Patrick Schleizer
87b999f92a
refactoring 2019-12-23 00:59:43 -05:00
Patrick Schleizer
065ff4bd05
sanity_tests 2019-12-23 00:59:24 -05:00
Patrick Schleizer
fef1469fe6
exit non-zero if capability removal failed 2019-12-23 00:51:14 -05:00