security-misc

mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00

Author	SHA1	Message	Date
Patrick Schleizer	aa5451c8cd	Lock user accounts after 50 rather than 100 failed login attempts. https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/19	2019-11-25 01:39:53 -05:00
Patrick Schleizer	03e8023847	output	2019-11-22 14:11:30 -05:00
Patrick Schleizer	0ae5c5ff14	remove umask changes since these are causing issues are are not needed anymore thanks to home folder permission lockdown https://forums.whonix.org/t/change-default-umask/7416/45	2019-08-24 12:14:22 -04:00
Patrick Schleizer	41b2819ec8	PAM: abort on locked password to avoid needlessly bumping pam_tally2 counter https://forums.whonix.org/t/restrict-root-access/7658/1	2019-08-17 10:33:47 +00:00
Patrick Schleizer	ed90d8b025	change default umask to 027 as per: https://forums.whonix.org/t/change-default-umask/7416/47	2019-08-17 09:55:20 +00:00
Patrick Schleizer	ff9bc1d7ea	informational output during PAM: * Show failed and remaining password attempts. * Document unlock procedure if Linux user account got locked. * Point out, that there is no password feedback for `su`. * Explain locked (root) account if locked. * /usr/share/pam-configs/tally2-security-misc * /usr/lib/security-misc/pam_tally2-info	2019-08-15 13:37:28 +00:00
Patrick Schleizer	454e135822	pam_tally2.so even_deny_root	2019-08-15 07:33:41 +00:00
Patrick Schleizer	63b476221c	use requisite rather than required to avoid asking for password needlessly if login will fail anyhow	2019-08-15 07:30:56 +00:00
Patrick Schleizer	8fdc77fed5	output to stdout	2019-08-14 10:33:23 +00:00
Patrick Schleizer	15094cab4f	avoid ' character in usr/share/pam-configs; in description	2019-08-14 09:36:30 +00:00
Patrick Schleizer	97d1945e61	no log needed, informative output to stdout instead	2019-08-14 09:32:58 +00:00
Patrick Schleizer	a085d46c56	change priories so "pam_umask.so usergroups umask=006" runs before pam_exec.so /usr/lib/security-misc/permission-lockdown	2019-08-14 09:31:58 +00:00
Patrick Schleizer	ce06fdf911	formatting	2019-08-14 05:15:53 -04:00
Patrick Schleizer	21489111d1	run permission lockdown during pam https://forums.whonix.org/t/change-default-umask/7416	2019-08-14 08:34:03 +00:00
Patrick Schleizer	52df8dc014	optional pam_umask.so usergroups umask=006	2019-08-14 07:37:21 +00:00
Patrick Schleizer	2f37a66fd0	description	2019-08-11 10:31:29 +00:00
Patrick Schleizer	e83ec79a25	enable usr/share/pam-configs/mkhomedir-security-misc by default	2019-08-11 10:30:51 +00:00
Patrick Schleizer	1eb806a03e	pam_mkhomedir.so umask=006	2019-08-11 10:29:49 +00:00
Patrick Schleizer	c50eb3c9b0	add usr/share/pam-configs/mkhomedir-security-misc based on /usr/share/pam-configs/mkhomedir	2019-08-11 10:28:55 +00:00
Patrick Schleizer	a2fa18c381	pam_tally2.so deny=100 during testing, due to issues `d17e25272b` https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/12	2019-08-10 07:07:28 -04:00
Patrick Schleizer	d17e25272b	effectively (not directly) add "required pam_tally2.so debug" to /etc/pam.d/common-account This is required because otherwise something like "sudo bash" would count as a failed login for pam_tally2 even though it was successful. https://bugzilla.redhat.com/show_bug.cgi?id=707660 https://forums.whonix.org/t/restrict-root-access/7658	2019-08-10 06:06:39 -04:00
Patrick Schleizer	0f896a9d8d	add onerr=fail audit to pam_tally2	2019-08-10 06:05:37 -04:00
Patrick Schleizer	e076470f68	renamed: usr/share/pam-configs/usergroups -> usr/share/pam-configs/usergroups-security-misc	2019-08-01 11:04:58 +00:00
Patrick Schleizer	830111e99a	split usr/share/pam-configs/security-misc into usr/share/pam-configs/tally2-security-misc usr/share/pam-configs/wheel-security-misc	2019-08-01 11:04:22 +00:00
Patrick Schleizer	89d32402b2	fix, do not use "," inside /usr/share/pam-configs files	2019-07-31 14:52:29 -04:00
Patrick Schleizer	cf90668756	lock user accounts after 5 failed authentication attempts using pam_tally2	2019-07-31 03:25:02 -04:00
Patrick Schleizer	3e29761560	debug at the end	2019-07-31 03:17:06 -04:00
Patrick Schleizer	5cdb3edb32	usr/share/pam-configs/wheel -> usr/share/pam-configs/security-misc	2019-07-31 03:16:41 -04:00
Patrick Schleizer	3f9437f1ec	Revert "set back to default group "root" rather than group "sudo" membership required to use su" This reverts commit `2f276cdb10`.	2019-07-17 14:25:19 -04:00
Patrick Schleizer	2f276cdb10	set back to default group "root" rather than group "sudo" membership required to use su since root login will be locked by default anyhow Thanks to @madaidan for providing the rationale! https://forums.whonix.org/t/restrict-root-access/7658/42	2019-07-15 08:44:28 -04:00
Patrick Schleizer	6d1e8ac9a4	description	2019-07-14 11:16:49 +00:00
Patrick Schleizer	ffb61f43ea	fix, add 'group=sudo' and 'debug' for debugging https://forums.whonix.org/t/restrict-root-access/7658	2019-07-14 11:11:59 +00:00
Patrick Schleizer	e9eb38b5db	formatting	2019-07-13 15:04:09 +00:00
Patrick Schleizer	cb668459e8	port umask from /etc/pam.d to /usr/share/pam-configs implementation https://forums.whonix.org/t/change-default-umask/7416	2019-07-13 10:35:10 -04:00
Patrick Schleizer	69b97981f3	convert etc/pam.d/su.security-misc to usr/share/pam-configs/wheel https://forums.whonix.org/t/restrict-root-access/7658/32	2019-07-13 12:33:51 +00:00

35 Commits