Commit Graph

1143 Commits

Author SHA1 Message Date
madaidan
3c2ca0257f
Support for removing SUID bits 2019-12-19 17:01:08 +00:00
Patrick Schleizer
62eb462920
skip console_users_check for Qubes users 2019-12-16 06:46:48 -05:00
Patrick Schleizer
ab68182e11
bumped changelog version 2019-12-16 06:27:51 -05:00
Patrick Schleizer
2cab38a8b3
readme 2019-12-16 06:24:14 -05:00
Patrick Schleizer
4ca9fc5920
fix 2019-12-16 03:53:10 -05:00
Patrick Schleizer
f68efd53cf
remount /sys/kernel/security with nodev,nosuid[,noexec]
as suggested by @madaidan

http://forums.whonix.org/t/apparmor-for-complete-system-including-init-pid1-systemd-everything-full-system-mac-policy/8339/238
2019-12-16 03:52:09 -05:00
Patrick Schleizer
2c4170e6f3
description 2019-12-12 09:47:58 -05:00
Patrick Schleizer
2d5ef378f3
description 2019-12-12 09:39:39 -05:00
Patrick Schleizer
300f010fc2
increase priority of pam-abort-on-locked-password-security-misc
since it has its own user help output

so it shows before pam tally2 info

to avoid duplicate non-applicable help text
2019-12-12 09:29:00 -05:00
Patrick Schleizer
a10597de92
bumped changelog version 2019-12-12 09:04:15 -05:00
Patrick Schleizer
729fa26eca
use pam_acccess only for /etc/pam.d/login
remove "Allow members of group 'ssh' to login."
remove "+:ssh:ALL EXCEPT LOCAL"
2019-12-12 09:00:08 -05:00
Patrick Schleizer
22b6480bc4
bumped changelog version 2019-12-10 11:44:02 -05:00
Patrick Schleizer
88bea2a6ef
comment 2019-12-10 03:53:10 -05:00
Patrick Schleizer
7d8001ddc9
refactoring 2019-12-10 03:51:39 -05:00
Patrick Schleizer
d2f6ac0491
fix, do user/group modifications in preinst rather than postinst 2019-12-10 03:50:23 -05:00
Patrick Schleizer
64ae53edb9
bumped changelog version 2019-12-09 08:25:30 -05:00
Patrick Schleizer
d80bf036f3
Disable permission hardening now until development finished / tested. 2019-12-09 03:50:43 -05:00
Patrick Schleizer
b72eb30056
quotes 2019-12-09 02:32:05 -05:00
Patrick Schleizer
c258376b7e
use read (built-in) rather than awk (external) 2019-12-09 02:31:10 -05:00
Patrick Schleizer
02165201ab
read -r; refactoring
as per https://mywiki.wooledge.org/BashFAQ/001
2019-12-09 02:23:43 -05:00
Patrick Schleizer
7467252122
quotes 2019-12-09 02:22:16 -05:00
Patrick Schleizer
9bea996017
Merge remote-tracking branch 'origin/master' 2019-12-09 02:21:47 -05:00
Patrick Schleizer
af62da3445
Merge pull request #42 from madaidan/permission-hardening
File permission hardening
2019-12-08 20:45:16 +00:00
madaidan
d7e2deae92
Create permission-hardening.service 2019-12-08 16:50:54 +00:00
madaidan
6c564f6e95
Create permission-hardening.conf 2019-12-08 16:50:11 +00:00
madaidan
61e19fa5f1
Create permission-hardening 2019-12-08 16:49:28 +00:00
Patrick Schleizer
6f944234a9
bumped changelog version 2019-12-08 05:26:29 -05:00
Patrick Schleizer
e64741c01e
readme 2019-12-08 05:25:19 -05:00
Patrick Schleizer
c192644ee3
security-misc /usr/share/pam-configs/permission-lockdown-security-misc is no longer required, removed.
Thereby fix apparmor issue.

> Dec 08 09:47:50 host audit[3232]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=3232 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
> Dec 08 09:47:50 host sudo[3232]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied

It is no longer required, because...

existing linux user accounts:

* Get permission lock down because security-misc `debian/security-misc.postinst` calls `/usr/lib/security-misc/permission-lockdown`.

new linux user accounts (created at first boot):

* security-misc `/usr/share/pam-configs/mkhomedir-security-misc` pam mkhomedir sets secure permissions using `umask=027`.
2019-12-08 05:21:35 -05:00
Patrick Schleizer
edcc2de71d
bumped changelog version 2019-12-08 04:38:33 -05:00
Patrick Schleizer
1227ccd1f7
After=qubes-sysinit.service 2019-12-08 04:37:53 -05:00
Patrick Schleizer
17d81d0083
bumped changelog version 2019-12-08 04:27:01 -05:00
Patrick Schleizer
ebae9eef38
skip sudo_users_check in Qubes
Qubes users can use dom0 to get a root terminal emulator.

For example:
qvm-run -u root debian-10 xterm
2019-12-08 04:25:19 -05:00
Patrick Schleizer
53e4717c62
bumped changelog version 2019-12-08 04:05:29 -05:00
Patrick Schleizer
bc45ed385e
readme 2019-12-08 04:03:02 -05:00
Patrick Schleizer
ac96708b24
improve usr/bin/hardening-enable 2019-12-08 04:01:11 -05:00
Patrick Schleizer
a345a0fb64
abort installation if ssh.service is enabled but no user is member of group ssh 2019-12-08 03:27:12 -05:00
Patrick Schleizer
50ac03363f
output 2019-12-08 03:18:32 -05:00
Patrick Schleizer
c7c65fe4e7
higher priority usr/share/pam-configs/tally2-security-misc
so it can give info before pam stack gets aborted by other pam modules
2019-12-08 03:15:53 -05:00
Patrick Schleizer
3bd0b3f837
notify when attempting to use ssh but user is member of group ssh 2019-12-08 03:10:41 -05:00
Patrick Schleizer
cea598dc1a
refactoring 2019-12-08 02:43:05 -05:00
Patrick Schleizer
54f5e02c21
comment 2019-12-08 02:42:30 -05:00
Patrick Schleizer
b4265195f4
refactoring 2019-12-08 02:41:36 -05:00
Patrick Schleizer
0f65b2e85c
abort installation if no user is a member of group "console"; output
https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/7
2019-12-08 02:38:19 -05:00
Patrick Schleizer
1dbca1ea2d
add usr/bin/hardening-enable 2019-12-08 02:27:09 -05:00
Patrick Schleizer
19cc6d7555
pam description 2019-12-08 02:10:43 -05:00
Patrick Schleizer
24423b42f0
description 2019-12-08 02:03:05 -05:00
Patrick Schleizer
6b01e5be14
comment 2019-12-08 02:01:22 -05:00
Patrick Schleizer
66bebefc9f
description 2019-12-08 02:00:23 -05:00
Patrick Schleizer
52e0f104cc
comment 2019-12-08 01:59:55 -05:00