Commit Graph

20 Commits

Author SHA1 Message Date
Patrick Schleizer
2d37e3a1af
copyright 2022-05-20 14:46:38 -04:00
Patrick Schleizer
582492d6d8
port from pam_tally2 to pam_faillock
since pam_tally2 was deprecated upstream
2021-08-10 17:13:00 -04:00
Patrick Schleizer
a67007f4b7
copyright 2021-03-17 09:45:21 -04:00
Patrick Schleizer
a258f35f38
comment 2021-01-05 02:11:08 -05:00
Patrick Schleizer
bb72c1278d
copyright 2020-11-05 06:36:39 -05:00
Patrick Schleizer
7e267ab498
fix, allow group sudo and console to use consoles
fix /etc/security/access-security-misc.conf syntax error

Thanks to @81a989 for the bug report!

https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/31
2020-08-03 08:12:19 -04:00
Patrick Schleizer
253578afdf
/etc/security/access-security-misc.conf white list ttyS0 etc.
ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9

Thanks to @subpar_marlin for the bug report and helping to fix this!

https://forums.whonix.org/t/how-do-i-enter-the-whonix-shell-from-cli/7271/43

https://forums.whonix.org/t/etc-security-hardening/8592
2020-04-13 06:50:32 -04:00
Patrick Schleizer
a7f2a2a3b6
console lockdown: allow members of group sudo to use console
https://forums.whonix.org/t/etc-security-hardening/8592

https://github.com/Whonix/security-misc/pull/74#issuecomment-607748407

https://www.whonix.org/wiki/Dev/Strong_Linux_User_Account_Isolation#Console_Lockdown
2020-04-02 06:04:45 -04:00
Patrick Schleizer
7764ee0d20
comments 2020-04-02 05:58:16 -04:00
Patrick Schleizer
2ceea8d1fe
update copyright year 2020-04-01 08:49:59 -04:00
Patrick Schleizer
814f613a2f
When using systemd-nspawn (chroot) then login requires console 'console' to be permitted. 2020-03-31 07:08:25 -04:00
Patrick Schleizer
a37da1c968
add digits to drop-in file names 2020-01-24 04:39:06 -05:00
Patrick Schleizer
729fa26eca
use pam_acccess only for /etc/pam.d/login
remove "Allow members of group 'ssh' to login."
remove "+:ssh:ALL EXCEPT LOCAL"
2019-12-12 09:00:08 -05:00
Patrick Schleizer
c1800b13fe
separate group "ssh" for incoming ssh console permission
Thanks to @madaidan

https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/16
2019-12-07 11:26:39 -05:00
Patrick Schleizer
021b06dac9
add hvc0 to hvc9 2019-12-07 06:04:45 -05:00
Patrick Schleizer
8a59662a44
comment 2019-12-07 06:02:45 -05:00
Patrick Schleizer
cda6724755
add pts/0 to pts/9 2019-12-07 05:56:57 -05:00
Patrick Schleizer
218cbddba9
comment 2019-12-07 05:52:06 -05:00
Patrick Schleizer
6479c883bf
Console Lockdown.
Allow members of group 'console' to use tty1 to tty7. Everyone else except
members of group 'console-unrestricted' are restricted from using console
using ancient, unpopular login methods such as using /bin/login over networks,
which might be exploitable. (CVE-2001-0797)

Not enabled by default in this package since this package does not know which
users shall be added to group 'console'.

In new Whonix builds, user 'user" will be added to group 'console' and
pam console-lockdown enabled by package anon-base-files.

/usr/share/pam-configs/console-lockdown

/etc/security/access-security-misc.conf

https://forums.whonix.org/t/etc-security-hardening/8592
2019-12-07 05:40:20 -05:00
madaidan
230ef34db4
Create disable-coredumps.conf 2019-06-30 00:19:04 +00:00