security-misc

mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00

Author	SHA1	Message	Date
Patrick Schleizer	f92b414195	refactoring	2019-12-20 04:06:28 -05:00
Patrick Schleizer	4c44871e9d	comment	2019-12-20 04:02:05 -05:00
Patrick Schleizer	6876a2eaa8	comment	2019-12-20 04:01:40 -05:00
Patrick Schleizer	35c4fce61b	fix "dpkg-statoverride: warning: stripping trailing /"	2019-12-20 03:54:46 -05:00
Patrick Schleizer	9bd9012ab1	refactoring	2019-12-20 03:46:50 -05:00
Patrick Schleizer	55933f8876	refactoring	2019-12-20 03:43:36 -05:00
Patrick Schleizer	9e493a9f48	refactoring	2019-12-20 03:42:09 -05:00
Patrick Schleizer	b92a690c16	refactoring	2019-12-20 03:40:47 -05:00
Patrick Schleizer	98535e3a2b	refactoring	2019-12-20 03:39:25 -05:00
Patrick Schleizer	ecbba2fd61	refactoring	2019-12-20 03:38:39 -05:00
Patrick Schleizer	20b8a407ac	refactoring	2019-12-20 03:25:17 -05:00
Patrick Schleizer	6cd9eb44fb	refactoring	2019-12-20 03:24:07 -05:00
Patrick Schleizer	706dba104d	code simplification	2019-12-20 03:19:12 -05:00
Patrick Schleizer	01dd567f8b	fix, if fso has exactly the mode we want (not 3 instead of 4 string length), not need to reset it	2019-12-20 03:16:43 -05:00
Patrick Schleizer	4f65b0fc1e	refactoring	2019-12-20 03:13:27 -05:00
Patrick Schleizer	bfee6b60cb	comment	2019-12-20 03:11:11 -05:00
Patrick Schleizer	d64cdc1247	refactoring	2019-12-20 03:04:41 -05:00
Patrick Schleizer	7c5c65a6c1	comment	2019-12-20 03:04:13 -05:00
Patrick Schleizer	b31d8cd3fc	fix	2019-12-20 03:03:40 -05:00
Patrick Schleizer	c626290673	refactoring	2019-12-20 03:02:26 -05:00
Patrick Schleizer	d5ff1d6f28	refactoring	2019-12-20 03:00:39 -05:00
Patrick Schleizer	640ca1d24d	skip symlinks https://forums.whonix.org/t/kernel-hardening/7296/323?	2019-12-20 02:57:57 -05:00
Patrick Schleizer	cc8f795799	comment	2019-12-20 02:47:04 -05:00
Patrick Schleizer	4e5b222a08	comment	2019-12-20 02:43:33 -05:00
Patrick Schleizer	fa895ee11e	refactoring	2019-12-20 02:40:42 -05:00
Patrick Schleizer	2c163bf439	check string length of permission variable https://forums.whonix.org/t/kernel-hardening/7296/322	2019-12-20 02:39:53 -05:00
Patrick Schleizer	a89befd902	code simplification	2019-12-20 02:20:54 -05:00
Patrick Schleizer	72812da63f	comment	2019-12-20 02:16:32 -05:00
Patrick Schleizer	39a41cc27b	refactoring	2019-12-20 02:14:45 -05:00
Patrick Schleizer	2ed6452590	downgrade to info	2019-12-20 02:12:43 -05:00
Patrick Schleizer	a5e55dfcfc	quotes	2019-12-20 02:11:39 -05:00
Patrick Schleizer	3187cee4fb	output	2019-12-20 02:10:13 -05:00
Patrick Schleizer	5160b4c781	disable xtrace	2019-12-20 02:08:05 -05:00
Patrick Schleizer	27bfe95d25	add echo wrapper	2019-12-20 02:07:49 -05:00
Patrick Schleizer	a6988f3fb8	output	2019-12-20 02:06:31 -05:00
Patrick Schleizer	1819577b88	fix	2019-12-20 02:04:34 -05:00
Patrick Schleizer	278c60c5a0	exit non-zero if some line cannot be parsed therefore make systemd notice this therefore allow the sysadmin to notice this	2019-12-20 02:01:36 -05:00
Patrick Schleizer	66bcba8313	improve character whitelisting	2019-12-20 01:58:35 -05:00
Patrick Schleizer	8f14e808a9	send error messages to stderr	2019-12-20 01:32:49 -05:00
Patrick Schleizer	d8c9fac2e5	output	2019-12-20 01:32:08 -05:00
Patrick Schleizer	f19abaf627	refactoring	2019-12-20 01:31:37 -05:00
madaidan	3c2ca0257f	Support for removing SUID bits	2019-12-19 17:01:08 +00:00
Patrick Schleizer	4ca9fc5920	fix	2019-12-16 03:53:10 -05:00
Patrick Schleizer	f68efd53cf	remount /sys/kernel/security with nodev,nosuid[,noexec] as suggested by @madaidan http://forums.whonix.org/t/apparmor-for-complete-system-including-init-pid1-systemd-everything-full-system-mac-policy/8339/238	2019-12-16 03:52:09 -05:00
Patrick Schleizer	729fa26eca	use pam_acccess only for /etc/pam.d/login remove "Allow members of group 'ssh' to login." remove "+:ssh:ALL EXCEPT LOCAL"	2019-12-12 09:00:08 -05:00
Patrick Schleizer	b72eb30056	quotes	2019-12-09 02:32:05 -05:00
Patrick Schleizer	c258376b7e	use read (built-in) rather than awk (external)	2019-12-09 02:31:10 -05:00
Patrick Schleizer	02165201ab	read -r; refactoring as per https://mywiki.wooledge.org/BashFAQ/001	2019-12-09 02:23:43 -05:00
Patrick Schleizer	7467252122	quotes	2019-12-09 02:22:16 -05:00
madaidan	61e19fa5f1	Create permission-hardening	2019-12-08 16:49:28 +00:00
Patrick Schleizer	50ac03363f	output	2019-12-08 03:18:32 -05:00
Patrick Schleizer	3bd0b3f837	notify when attempting to use ssh but user is member of group ssh	2019-12-08 03:10:41 -05:00
madaidan	6846a94327	Check for more locations of System.map	2019-12-07 19:38:12 +00:00
madaidan	668b6420de	Remove hyphen	2019-12-07 14:15:02 +00:00
Patrick Schleizer	9ba84f34c6	comment	2019-12-07 06:51:59 -05:00
Patrick Schleizer	dc1dfc8c20	output	2019-12-07 06:51:16 -05:00
Patrick Schleizer	532a1525c2	comment	2019-12-07 06:26:55 -05:00
Patrick Schleizer	14aa6c5077	comment	2019-12-07 06:26:23 -05:00
Patrick Schleizer	8b3f5a555b	add console lockdown to pam info output	2019-12-07 06:25:45 -05:00
Patrick Schleizer	5a4eda0d05	also support /usr/local/etc/remount-disable and /usr/local/etc/noexec	2019-12-07 01:53:33 -05:00
Patrick Schleizer	9b14f24d5e	refactoring	2019-12-06 11:17:32 -05:00
Patrick Schleizer	a6133f5912	output	2019-12-06 11:16:43 -05:00
Patrick Schleizer	c1ea35e2ef	output	2019-12-06 11:15:54 -05:00
Patrick Schleizer	4bec41379d	fix remount with noexec if /etc/noexec exists	2019-12-06 11:15:13 -05:00
Patrick Schleizer	470cad6e91	remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in) https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707	2019-12-06 05:14:02 -05:00
Patrick Schleizer	aa5451c8cd	Lock user accounts after 50 rather than 100 failed login attempts. https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/19	2019-11-25 01:39:53 -05:00
Patrick Schleizer	fe1f1b73a7	load jitterentropy_rng kernel module for better entropy collection https://www.whonix.org/wiki/Dev/Entropy https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927972 https://forums.whonix.org/t/jitterentropy-rngd/7204	2019-11-23 11:20:32 +00:00
Patrick Schleizer	74293bcd2f	output	2019-11-05 01:59:25 -05:00
Patrick Schleizer	2b5b06b602	output	2019-11-05 01:59:19 -05:00
Patrick Schleizer	d6977becba	refactoring	2019-11-05 01:51:14 -05:00
Patrick Schleizer	daf0006795	comment	2019-11-05 01:50:27 -05:00
Patrick Schleizer	203d5cfa68	copyright	2019-10-31 11:19:44 -04:00
Patrick Schleizer	d4e02de43a	set SUDO_ASKPASS for pkexec wrapper when using sudo --askpass	2019-10-22 09:04:44 -04:00
Patrick Schleizer	343d9cc916	fix	2019-10-21 09:53:55 +00:00
Patrick Schleizer	40707e70db	Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 https://forums.whonix.org/t/cannot-use-pkexec/8129 Thanks to AnonymousUser for the bug report!	2019-10-21 05:46:49 -04:00
Patrick Schleizer	a5045dc26e	set -e	2019-10-17 06:18:32 -04:00
Patrick Schleizer	4aba027566	syntax check	2019-10-17 06:12:36 -04:00
Patrick Schleizer	8b9aa8841a	fix	2019-10-17 06:11:01 -04:00
Patrick Schleizer	cfbd77040a	set "shopt -s nullglob" to avoid failing when folder /etc/hide-hardware-info.d does not exist or is empty	2019-10-17 06:10:29 -04:00
Patrick Schleizer	b05663c5f6	shuffle https://forums.whonix.org/t/restrict-hardware-information-to-root/7329/80	2019-10-17 06:08:55 -04:00
Patrick Schleizer	28a440091d	code simplification	2019-10-17 06:08:16 -04:00
Patrick Schleizer	3c4e261c20	remove trailing spaces	2019-10-17 06:05:23 -04:00
Patrick Schleizer	8a42c5b023	Merge pull request #34 from madaidan/whitelist Add a whitelist for /sys and /proc/cpuinfo	2019-10-17 09:59:12 +00:00
madaidan	61f742304d	return 0	2019-10-16 19:46:59 +00:00
madaidan	ffba0e0179	Elaborate	2019-10-16 19:04:15 +00:00
madaidan	f08c03ab21	Restrict sysfs/cpuinfo if the whitelist is disabled	2019-10-16 15:39:23 +00:00
madaidan	6b78dbcd07	Add way to whitelist things	2019-10-15 20:57:02 +00:00
Patrick Schleizer	d2bc3a2a08	chmod +x usr/lib/security-misc/hide-hardware-info	2019-10-05 09:14:41 +00:00
madaidan	87917d2f03	Add licensing	2019-10-03 21:38:07 +00:00
madaidan	9449f5017a	Create hide-hardware-info	2019-10-03 20:45:14 +00:00
Patrick Schleizer	75258843e9	copyright	2019-09-16 13:03:43 +00:00
Patrick Schleizer	8e39cea876	comment	2019-09-16 13:03:25 +00:00
Patrick Schleizer	bac462f211	comment	2019-09-16 13:03:02 +00:00
Patrick Schleizer	bec680d4f3	pam_tally2-info: fix, do nothing when started as user "user" xscreensaver runs as user "user", therefore pam_tally2 cannot function. xscreensaver has its own failed login counter. as user "user" /sbin/pam_tally2 -u user pam_tally2: Error opening /var/log/tallylog for update: Permission denied /sbin/pam_tally2: Authentication error https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698	2019-09-16 12:30:23 +00:00
Patrick Schleizer	0140df8668	virusforget	2019-08-19 08:43:28 +00:00
Patrick Schleizer	113ab42568	virusforget	2019-08-19 08:31:23 +00:00
Patrick Schleizer	416906d4f9	virusforget	2019-08-19 08:19:35 +00:00
Patrick Schleizer	2d867d9fee	virusforget	2019-08-19 08:10:18 +00:00
Patrick Schleizer	8e76e6b8b3	fix	2019-08-19 07:48:12 +00:00
Patrick Schleizer	3f068f77fe	keep cache folder outside of reach of user since even user can remove files owned by root in its home folder	2019-08-19 07:47:20 +00:00
Patrick Schleizer	1fa1efa58e	credits	2019-08-19 07:22:09 +00:00
Patrick Schleizer	1e026a3ebb	initial development version of VirusForget	2019-08-18 22:50:44 +00:00
Patrick Schleizer	41b2819ec8	PAM: abort on locked password to avoid needlessly bumping pam_tally2 counter https://forums.whonix.org/t/restrict-root-access/7658/1	2019-08-17 10:33:47 +00:00
Patrick Schleizer	17cfcb63b6	code simplification; report locked account earlier	2019-08-16 10:50:56 -04:00
Patrick Schleizer	ff9bc1d7ea	informational output during PAM: * Show failed and remaining password attempts. * Document unlock procedure if Linux user account got locked. * Point out, that there is no password feedback for `su`. * Explain locked (root) account if locked. * /usr/share/pam-configs/tally2-security-misc * /usr/lib/security-misc/pam_tally2-info	2019-08-15 13:37:28 +00:00
Patrick Schleizer	547ba91d79	sanity test	2019-08-14 09:45:30 +00:00
Patrick Schleizer	799acad724	skip, if not a folder	2019-08-14 09:39:43 +00:00
Patrick Schleizer	6321ff5ad5	refactoring	2019-08-14 09:38:44 +00:00
Patrick Schleizer	f8c828b69a	output	2019-08-14 05:19:02 -04:00
Patrick Schleizer	e5da6d9699	copyright	2019-08-14 05:17:54 -04:00
Patrick Schleizer	1595789d7c	comment	2019-08-14 05:17:16 -04:00
Patrick Schleizer	21489111d1	run permission lockdown during pam https://forums.whonix.org/t/change-default-umask/7416	2019-08-14 08:34:03 +00:00
Patrick Schleizer	dbea7d1511	add hook etc/kernel/postinst.d/30_remove-system-map to remove system.map on kernel package upgrade; self-document this package: during upgrade the following will be written to stdout: Setting up linux-image-4.19.0-5-amd64 (4.19.37-5+deb10u2) ... /etc/kernel/postinst.d/30_remove-system-map: removed '/boot/System.map-4.19.0-5-amd64	2019-08-14 07:22:14 +00:00
Patrick Schleizer	6af2d7facb	copyright	2019-07-13 18:12:25 +00:00
Patrick Schleizer	75f0ca565d	set -e	2019-07-13 18:12:04 +00:00
Patrick Schleizer	c389e13e1a	use pre.bsh	2019-07-13 17:59:49 +00:00
Patrick Schleizer	bea98474ba	chmod +x usr/lib/security-misc/panic-on-oops	2019-07-11 07:07:21 +00:00
madaidan	52c61011d4	Create panic-on-oops	2019-07-08 22:58:56 +00:00
Patrick Schleizer	a978fe1000	chmod +x usr/lib/security-misc/remove-system.map	2019-06-28 07:17:35 +00:00
madaidan	9392c8deb2	Update remove-system.map	2019-06-26 15:03:54 +00:00
madaidan	8ef0db17e6	Use a for loop to detect if System.map exists	2019-06-26 12:59:45 +00:00
madaidan	382e336f69	Create remove-system.map	2019-06-25 19:20:27 +00:00
Patrick Schleizer	6ba1fb70d2	port to debian buster	2019-04-05 14:06:00 -04:00
Patrick Schleizer	5b3fc2f6b9	update copyright	2018-01-29 15:22:05 +00:00
Patrick Schleizer	c3b6a44e97	update copyright	2018-01-29 15:15:17 +00:00
Patrick Schleizer	ff28f5932c	update copyright	2018-01-29 15:09:42 +00:00
Patrick Schleizer	f6bc188485	comment	2017-02-28 15:22:54 +01:00
Patrick Schleizer	18e23af784	cleanup	2017-02-27 23:59:37 +00:00
Patrick Schleizer	6195450eb2	No longer ignore duplicate apt sources in apt-get-wrapper. No longer acceptable because these generate lots of noise in the terminal.	2017-02-27 23:57:04 +00:00
Patrick Schleizer	191918027c	adjust apt-get-wrapper for Debian stretch's apt-get	2017-02-27 23:43:02 +00:00
Patrick Schleizer	2130b4c654	use python rather than unbuffer because unbuffer eats exit code when process is killed	2017-02-27 23:16:32 +00:00
Patrick Schleizer	cc351165dc	apt-get-wrapper: - fix exit code handling - code simplification	2017-02-27 19:36:38 +00:00
Patrick Schleizer	5653b7732a	fix, show progress during apt-get-wrapper fix, propagate signals to apt-get child process	2017-02-26 23:57:17 +00:00
Patrick Schleizer	bddbba84a6	"$@"	2017-02-14 17:30:31 +00:00
Patrick Schleizer	9b0d3e34fc	add usr/lib/security-misc/apt-get-update-sanity-test a CVE-2016-1252 sanity test script	2017-02-14 02:37:08 +00:00
Patrick Schleizer	90f175e117	double apt-get-update wrapper timeout from 120 to 240 seconds since it takes a bit longer than 120 seconds for me on a fast connection	2017-02-08 14:26:26 +00:00
Patrick Schleizer	0cf6524f0f	apt-get-update: implement SIGINIT trap; hide 'ps' output	2016-12-25 02:33:44 +00:00
Patrick Schleizer	c4089d8d40	update path to /usr/lib/security-misc/apt-get-wrapper	2016-12-25 01:36:04 +00:00
Patrick Schleizer	7b01fb9341	remove obsolete comments	2016-12-25 01:35:17 +00:00
Patrick Schleizer	8160cfe1d7	moved apt-get-update and apt-get-wrapper from whonixcheck to security-misc	2016-12-25 01:29:31 +00:00

... 2 3 4 5 6

290 Commits