Patrick Schleizer
f19abaf627
refactoring
2019-12-20 01:31:37 -05:00
madaidan
3c2ca0257f
Support for removing SUID bits
2019-12-19 17:01:08 +00:00
Patrick Schleizer
4ca9fc5920
fix
2019-12-16 03:53:10 -05:00
Patrick Schleizer
f68efd53cf
remount /sys/kernel/security with nodev,nosuid[,noexec]
...
as suggested by @madaidan
http://forums.whonix.org/t/apparmor-for-complete-system-including-init-pid1-systemd-everything-full-system-mac-policy/8339/238
2019-12-16 03:52:09 -05:00
Patrick Schleizer
300f010fc2
increase priority of pam-abort-on-locked-password-security-misc
...
since it has its own user help output
so it shows before pam tally2 info
to avoid duplicate non-applicable help text
2019-12-12 09:29:00 -05:00
Patrick Schleizer
729fa26eca
use pam_acccess only for /etc/pam.d/login
...
remove "Allow members of group 'ssh' to login."
remove "+:ssh:ALL EXCEPT LOCAL"
2019-12-12 09:00:08 -05:00
Patrick Schleizer
b72eb30056
quotes
2019-12-09 02:32:05 -05:00
Patrick Schleizer
c258376b7e
use read (built-in) rather than awk (external)
2019-12-09 02:31:10 -05:00
Patrick Schleizer
02165201ab
read -r; refactoring
...
as per https://mywiki.wooledge.org/BashFAQ/001
2019-12-09 02:23:43 -05:00
Patrick Schleizer
7467252122
quotes
2019-12-09 02:22:16 -05:00
madaidan
61e19fa5f1
Create permission-hardening
2019-12-08 16:49:28 +00:00
Patrick Schleizer
c192644ee3
security-misc /usr/share/pam-configs/permission-lockdown-security-misc
is no longer required, removed.
...
Thereby fix apparmor issue.
> Dec 08 09:47:50 host audit[3232]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=3232 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
> Dec 08 09:47:50 host sudo[3232]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied
It is no longer required, because...
existing linux user accounts:
* Get permission lock down because security-misc `debian/security-misc.postinst` calls `/usr/lib/security-misc/permission-lockdown`.
new linux user accounts (created at first boot):
* security-misc `/usr/share/pam-configs/mkhomedir-security-misc` pam mkhomedir sets secure permissions using `umask=027`.
2019-12-08 05:21:35 -05:00
Patrick Schleizer
ac96708b24
improve usr/bin/hardening-enable
2019-12-08 04:01:11 -05:00
Patrick Schleizer
50ac03363f
output
2019-12-08 03:18:32 -05:00
Patrick Schleizer
c7c65fe4e7
higher priority usr/share/pam-configs/tally2-security-misc
...
so it can give info before pam stack gets aborted by other pam modules
2019-12-08 03:15:53 -05:00
Patrick Schleizer
3bd0b3f837
notify when attempting to use ssh but user is member of group ssh
2019-12-08 03:10:41 -05:00
Patrick Schleizer
1dbca1ea2d
add usr/bin/hardening-enable
2019-12-08 02:27:09 -05:00
Patrick Schleizer
19cc6d7555
pam description
2019-12-08 02:10:43 -05:00
Patrick Schleizer
b871421a54
usr/share/pam-configs/console-lockdown -> usr/share/pam-configs/console-lockdown-security-misc
2019-12-08 01:57:43 -05:00
madaidan
6846a94327
Check for more locations of System.map
2019-12-07 19:38:12 +00:00
madaidan
668b6420de
Remove hyphen
2019-12-07 14:15:02 +00:00
Patrick Schleizer
9ba84f34c6
comment
2019-12-07 06:51:59 -05:00
Patrick Schleizer
dc1dfc8c20
output
2019-12-07 06:51:16 -05:00
Patrick Schleizer
532a1525c2
comment
2019-12-07 06:26:55 -05:00
Patrick Schleizer
14aa6c5077
comment
2019-12-07 06:26:23 -05:00
Patrick Schleizer
8b3f5a555b
add console lockdown to pam info output
2019-12-07 06:25:45 -05:00
Patrick Schleizer
6479c883bf
Console Lockdown.
...
Allow members of group 'console' to use tty1 to tty7. Everyone else except
members of group 'console-unrestricted' are restricted from using console
using ancient, unpopular login methods such as using /bin/login over networks,
which might be exploitable. (CVE-2001-0797)
Not enabled by default in this package since this package does not know which
users shall be added to group 'console'.
In new Whonix builds, user 'user" will be added to group 'console' and
pam console-lockdown enabled by package anon-base-files.
/usr/share/pam-configs/console-lockdown
/etc/security/access-security-misc.conf
https://forums.whonix.org/t/etc-security-hardening/8592
2019-12-07 05:40:20 -05:00
Patrick Schleizer
5a4eda0d05
also support /usr/local/etc/remount-disable and /usr/local/etc/noexec
2019-12-07 01:53:33 -05:00
Patrick Schleizer
9b14f24d5e
refactoring
2019-12-06 11:17:32 -05:00
Patrick Schleizer
a6133f5912
output
2019-12-06 11:16:43 -05:00
Patrick Schleizer
c1ea35e2ef
output
2019-12-06 11:15:54 -05:00
Patrick Schleizer
4bec41379d
fix remount with noexec if /etc/noexec exists
2019-12-06 11:15:13 -05:00
Patrick Schleizer
470cad6e91
remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in)
...
https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707
2019-12-06 05:14:02 -05:00
Patrick Schleizer
aa5451c8cd
Lock user accounts after 50 rather than 100 failed login attempts.
...
https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/19
2019-11-25 01:39:53 -05:00
Patrick Schleizer
fe1f1b73a7
load jitterentropy_rng kernel module for better entropy collection
...
https://www.whonix.org/wiki/Dev/Entropy
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927972
https://forums.whonix.org/t/jitterentropy-rngd/7204
2019-11-23 11:20:32 +00:00
Patrick Schleizer
03e8023847
output
2019-11-22 14:11:30 -05:00
Patrick Schleizer
2e73c053b5
fix lintian warning
2019-11-09 12:55:00 +00:00
Patrick Schleizer
74293bcd2f
output
2019-11-05 01:59:25 -05:00
Patrick Schleizer
2b5b06b602
output
2019-11-05 01:59:19 -05:00
Patrick Schleizer
d6977becba
refactoring
2019-11-05 01:51:14 -05:00
Patrick Schleizer
daf0006795
comment
2019-11-05 01:50:27 -05:00
Patrick Schleizer
203d5cfa68
copyright
2019-10-31 11:19:44 -04:00
Patrick Schleizer
bce5274a15
quotes fix
2019-10-22 09:22:29 -04:00
Patrick Schleizer
e20b9e2133
better solution when using pkexec with --user: wrap sudo --user with lxqt-sudo
2019-10-22 09:08:18 -04:00
Patrick Schleizer
d4e02de43a
set SUDO_ASKPASS for pkexec wrapper when using sudo --askpass
2019-10-22 09:04:44 -04:00
Patrick Schleizer
1a65a91039
long rather than short option
2019-10-22 08:56:05 -04:00
Patrick Schleizer
b55913637b
silence output by mount/grep
2019-10-22 08:54:48 -04:00
Patrick Schleizer
a1154170c9
Call original pkexec in case there are no arguments.
2019-10-22 08:54:17 -04:00
Patrick Schleizer
1e4d0ea1d0
fix lintian warning
2019-10-21 09:55:05 +00:00
Patrick Schleizer
343d9cc916
fix
2019-10-21 09:53:55 +00:00
Patrick Schleizer
40707e70db
Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid.
...
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040
https://forums.whonix.org/t/cannot-use-pkexec/8129
Thanks to AnonymousUser for the bug report!
2019-10-21 05:46:49 -04:00
Patrick Schleizer
a5045dc26e
set -e
2019-10-17 06:18:32 -04:00
Patrick Schleizer
4aba027566
syntax check
2019-10-17 06:12:36 -04:00
Patrick Schleizer
8b9aa8841a
fix
2019-10-17 06:11:01 -04:00
Patrick Schleizer
cfbd77040a
set "shopt -s nullglob" to avoid failing when folder /etc/hide-hardware-info.d
...
does not exist or is empty
2019-10-17 06:10:29 -04:00
Patrick Schleizer
b05663c5f6
shuffle
...
https://forums.whonix.org/t/restrict-hardware-information-to-root/7329/80
2019-10-17 06:08:55 -04:00
Patrick Schleizer
28a440091d
code simplification
2019-10-17 06:08:16 -04:00
Patrick Schleizer
3c4e261c20
remove trailing spaces
2019-10-17 06:05:23 -04:00
Patrick Schleizer
8a42c5b023
Merge pull request #34 from madaidan/whitelist
...
Add a whitelist for /sys and /proc/cpuinfo
2019-10-17 09:59:12 +00:00
madaidan
61f742304d
return 0
2019-10-16 19:46:59 +00:00
madaidan
ffba0e0179
Elaborate
2019-10-16 19:04:15 +00:00
madaidan
f08c03ab21
Restrict sysfs/cpuinfo if the whitelist is disabled
2019-10-16 15:39:23 +00:00
madaidan
6b78dbcd07
Add way to whitelist things
2019-10-15 20:57:02 +00:00
Patrick Schleizer
d2bc3a2a08
chmod +x usr/lib/security-misc/hide-hardware-info
2019-10-05 09:14:41 +00:00
madaidan
87917d2f03
Add licensing
2019-10-03 21:38:07 +00:00
madaidan
9449f5017a
Create hide-hardware-info
2019-10-03 20:45:14 +00:00
Patrick Schleizer
75258843e9
copyright
2019-09-16 13:03:43 +00:00
Patrick Schleizer
8e39cea876
comment
2019-09-16 13:03:25 +00:00
Patrick Schleizer
bac462f211
comment
2019-09-16 13:03:02 +00:00
Patrick Schleizer
bec680d4f3
pam_tally2-info: fix, do nothing when started as user "user"
...
xscreensaver runs as user "user", therefore pam_tally2 cannot function.
xscreensaver has its own failed login counter.
as user "user"
/sbin/pam_tally2 -u user
pam_tally2: Error opening /var/log/tallylog for update: Permission denied
/sbin/pam_tally2: Authentication error
https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts
https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698
2019-09-16 12:30:23 +00:00
Patrick Schleizer
0ae5c5ff14
remove umask changes since these are causing issues are are not needed anymore
...
thanks to home folder permission lockdown
https://forums.whonix.org/t/change-default-umask/7416/45
2019-08-24 12:14:22 -04:00
Patrick Schleizer
0140df8668
virusforget
2019-08-19 08:43:28 +00:00
Patrick Schleizer
113ab42568
virusforget
2019-08-19 08:31:23 +00:00
Patrick Schleizer
416906d4f9
virusforget
2019-08-19 08:19:35 +00:00
Patrick Schleizer
2d867d9fee
virusforget
2019-08-19 08:10:18 +00:00
Patrick Schleizer
8e76e6b8b3
fix
2019-08-19 07:48:12 +00:00
Patrick Schleizer
3f068f77fe
keep cache folder outside of reach of user since even user can remove files
...
owned by root in its home folder
2019-08-19 07:47:20 +00:00
Patrick Schleizer
1fa1efa58e
credits
2019-08-19 07:22:09 +00:00
Patrick Schleizer
1e026a3ebb
initial development version of VirusForget
2019-08-18 22:50:44 +00:00
Patrick Schleizer
41b2819ec8
PAM: abort on locked password
...
to avoid needlessly bumping pam_tally2 counter
https://forums.whonix.org/t/restrict-root-access/7658/1
2019-08-17 10:33:47 +00:00
Patrick Schleizer
ed90d8b025
change default umask to 027
...
as per:
https://forums.whonix.org/t/change-default-umask/7416/47
2019-08-17 09:55:20 +00:00
Patrick Schleizer
17cfcb63b6
code simplification; report locked account earlier
2019-08-16 10:50:56 -04:00
Patrick Schleizer
ff9bc1d7ea
informational output during PAM:
...
* Show failed and remaining password attempts.
* Document unlock procedure if Linux user account got locked.
* Point out, that there is no password feedback for `su`.
* Explain locked (root) account if locked.
* /usr/share/pam-configs/tally2-security-misc
* /usr/lib/security-misc/pam_tally2-info
2019-08-15 13:37:28 +00:00
Patrick Schleizer
454e135822
pam_tally2.so even_deny_root
2019-08-15 07:33:41 +00:00
Patrick Schleizer
63b476221c
use requisite rather than required to avoid asking for password needlessly
...
if login will fail anyhow
2019-08-15 07:30:56 +00:00
Patrick Schleizer
8fdc77fed5
output to stdout
2019-08-14 10:33:23 +00:00
Patrick Schleizer
547ba91d79
sanity test
2019-08-14 09:45:30 +00:00
Patrick Schleizer
799acad724
skip, if not a folder
2019-08-14 09:39:43 +00:00
Patrick Schleizer
6321ff5ad5
refactoring
2019-08-14 09:38:44 +00:00
Patrick Schleizer
15094cab4f
avoid ' character in usr/share/pam-configs; in description
2019-08-14 09:36:30 +00:00
Patrick Schleizer
97d1945e61
no log needed, informative output to stdout instead
2019-08-14 09:32:58 +00:00
Patrick Schleizer
a085d46c56
change priories so "pam_umask.so usergroups umask=006" runs before pam_exec.so /usr/lib/security-misc/permission-lockdown
2019-08-14 09:31:58 +00:00
Patrick Schleizer
f8c828b69a
output
2019-08-14 05:19:02 -04:00
Patrick Schleizer
e5da6d9699
copyright
2019-08-14 05:17:54 -04:00
Patrick Schleizer
1595789d7c
comment
2019-08-14 05:17:16 -04:00
Patrick Schleizer
ce06fdf911
formatting
2019-08-14 05:15:53 -04:00
Patrick Schleizer
21489111d1
run permission lockdown during pam
...
https://forums.whonix.org/t/change-default-umask/7416
2019-08-14 08:34:03 +00:00
Patrick Schleizer
52df8dc014
optional pam_umask.so usergroups umask=006
2019-08-14 07:37:21 +00:00
Patrick Schleizer
dbea7d1511
add hook etc/kernel/postinst.d/30_remove-system-map to remove system.map
...
on kernel package upgrade;
self-document this package: during upgrade the following will be written
to stdout:
Setting up linux-image-4.19.0-5-amd64 (4.19.37-5+deb10u2) ...
/etc/kernel/postinst.d/30_remove-system-map:
removed '/boot/System.map-4.19.0-5-amd64
2019-08-14 07:22:14 +00:00
Patrick Schleizer
2f37a66fd0
description
2019-08-11 10:31:29 +00:00
Patrick Schleizer
e83ec79a25
enable usr/share/pam-configs/mkhomedir-security-misc by default
2019-08-11 10:30:51 +00:00
Patrick Schleizer
1eb806a03e
pam_mkhomedir.so umask=006
2019-08-11 10:29:49 +00:00
Patrick Schleizer
c50eb3c9b0
add usr/share/pam-configs/mkhomedir-security-misc based on
...
/usr/share/pam-configs/mkhomedir
2019-08-11 10:28:55 +00:00
Patrick Schleizer
a2fa18c381
pam_tally2.so deny=100
...
during testing, due to issues
d17e25272b
https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/12
2019-08-10 07:07:28 -04:00
Patrick Schleizer
d17e25272b
effectively (not directly) add "required pam_tally2.so debug" to /etc/pam.d/common-account
...
This is required because otherwise something like "sudo bash" would count as a
failed login for pam_tally2 even though it was successful.
https://bugzilla.redhat.com/show_bug.cgi?id=707660
https://forums.whonix.org/t/restrict-root-access/7658
2019-08-10 06:06:39 -04:00
Patrick Schleizer
0f896a9d8d
add onerr=fail audit to pam_tally2
2019-08-10 06:05:37 -04:00
Patrick Schleizer
e076470f68
renamed: usr/share/pam-configs/usergroups -> usr/share/pam-configs/usergroups-security-misc
2019-08-01 11:04:58 +00:00
Patrick Schleizer
830111e99a
split usr/share/pam-configs/security-misc
...
into
usr/share/pam-configs/tally2-security-misc
usr/share/pam-configs/wheel-security-misc
2019-08-01 11:04:22 +00:00
Patrick Schleizer
89d32402b2
fix, do not use "," inside /usr/share/pam-configs files
2019-07-31 14:52:29 -04:00
Patrick Schleizer
cf90668756
lock user accounts after 5 failed authentication attempts using pam_tally2
2019-07-31 03:25:02 -04:00
Patrick Schleizer
3e29761560
debug at the end
2019-07-31 03:17:06 -04:00
Patrick Schleizer
5cdb3edb32
usr/share/pam-configs/wheel -> usr/share/pam-configs/security-misc
2019-07-31 03:16:41 -04:00
Patrick Schleizer
3f9437f1ec
Revert "set back to default group "root" rather than group "sudo" membership required to use su"
...
This reverts commit 2f276cdb10
.
2019-07-17 14:25:19 -04:00
Patrick Schleizer
2f276cdb10
set back to default group "root" rather than group "sudo" membership required to use su
...
since root login will be locked by default anyhow
Thanks to @madaidan for providing the rationale!
https://forums.whonix.org/t/restrict-root-access/7658/42
2019-07-15 08:44:28 -04:00
Patrick Schleizer
6d1e8ac9a4
description
2019-07-14 11:16:49 +00:00
Patrick Schleizer
ffb61f43ea
fix, add 'group=sudo' and 'debug' for debugging
...
https://forums.whonix.org/t/restrict-root-access/7658
2019-07-14 11:11:59 +00:00
Patrick Schleizer
6af2d7facb
copyright
2019-07-13 18:12:25 +00:00
Patrick Schleizer
75f0ca565d
set -e
2019-07-13 18:12:04 +00:00
Patrick Schleizer
c389e13e1a
use pre.bsh
2019-07-13 17:59:49 +00:00
Patrick Schleizer
e9eb38b5db
formatting
2019-07-13 15:04:09 +00:00
Patrick Schleizer
cb668459e8
port umask from /etc/pam.d to /usr/share/pam-configs implementation
...
https://forums.whonix.org/t/change-default-umask/7416
2019-07-13 10:35:10 -04:00
Patrick Schleizer
69b97981f3
convert etc/pam.d/su.security-misc to usr/share/pam-configs/wheel
...
https://forums.whonix.org/t/restrict-root-access/7658/32
2019-07-13 12:33:51 +00:00
Patrick Schleizer
bea98474ba
chmod +x usr/lib/security-misc/panic-on-oops
2019-07-11 07:07:21 +00:00
madaidan
52c61011d4
Create panic-on-oops
2019-07-08 22:58:56 +00:00
Patrick Schleizer
a978fe1000
chmod +x usr/lib/security-misc/remove-system.map
2019-06-28 07:17:35 +00:00
madaidan
9392c8deb2
Update remove-system.map
2019-06-26 15:03:54 +00:00
madaidan
8ef0db17e6
Use a for loop to detect if System.map exists
2019-06-26 12:59:45 +00:00
madaidan
382e336f69
Create remove-system.map
2019-06-25 19:20:27 +00:00
Patrick Schleizer
f9acd890a7
lintian
2019-06-09 10:24:24 +00:00
Patrick Schleizer
c040117fe4
lintian
2019-05-12 10:50:34 +00:00
Patrick Schleizer
6ba1fb70d2
port to debian buster
2019-04-05 14:06:00 -04:00
Patrick Schleizer
811dcee2cb
fix lintian warning
2019-04-05 09:26:18 -04:00
Patrick Schleizer
5b3fc2f6b9
update copyright
2018-01-29 15:22:05 +00:00
Patrick Schleizer
c3b6a44e97
update copyright
2018-01-29 15:15:17 +00:00
Patrick Schleizer
ff28f5932c
update copyright
2018-01-29 15:09:42 +00:00
Patrick Schleizer
f6bc188485
comment
2017-02-28 15:22:54 +01:00
Patrick Schleizer
18e23af784
cleanup
2017-02-27 23:59:37 +00:00
Patrick Schleizer
6195450eb2
No longer ignore duplicate apt sources in apt-get-wrapper.
...
No longer acceptable because these generate lots of noise in the terminal.
2017-02-27 23:57:04 +00:00
Patrick Schleizer
191918027c
adjust apt-get-wrapper for Debian stretch's apt-get
2017-02-27 23:43:02 +00:00
Patrick Schleizer
2130b4c654
use python rather than unbuffer
...
because unbuffer eats exit code when process is killed
2017-02-27 23:16:32 +00:00
Patrick Schleizer
cc351165dc
apt-get-wrapper:
...
- fix exit code handling
- code simplification
2017-02-27 19:36:38 +00:00
Patrick Schleizer
5653b7732a
fix, show progress during apt-get-wrapper
...
fix, propagate signals to apt-get child process
2017-02-26 23:57:17 +00:00
Patrick Schleizer
49cde21078
Whonix 14 KDE plasma 5 fixes
...
https://phabricator.whonix.org/T633
2017-02-21 19:54:41 +00:00
Patrick Schleizer
5ba2a5b6ff
disable previews in nautilus by default for better security
...
copied solution by @unman
https://github.com/QubesOS/qubes-issues/issues/1108
https://github.com/QubesOS/qubes-core-agent-linux/pull/39
https://phabricator.whonix.org/T500
2017-02-19 22:25:28 +00:00
Patrick Schleizer
bddbba84a6
"$@"
2017-02-14 17:30:31 +00:00
Patrick Schleizer
9b0d3e34fc
add usr/lib/security-misc/apt-get-update-sanity-test
...
a CVE-2016-1252 sanity test script
2017-02-14 02:37:08 +00:00
Patrick Schleizer
90f175e117
double apt-get-update wrapper timeout from 120 to 240 seconds
...
since it takes a bit longer than 120 seconds for me on a fast connection
2017-02-08 14:26:26 +00:00
Patrick Schleizer
0cf6524f0f
apt-get-update: implement SIGINIT trap; hide 'ps' output
2016-12-25 02:33:44 +00:00
Patrick Schleizer
c4089d8d40
update path to /usr/lib/security-misc/apt-get-wrapper
2016-12-25 01:36:04 +00:00
Patrick Schleizer
7b01fb9341
remove obsolete comments
2016-12-25 01:35:17 +00:00
Patrick Schleizer
8160cfe1d7
moved apt-get-update and apt-get-wrapper from whonixcheck to security-misc
2016-12-25 01:29:31 +00:00
Patrick Schleizer
d3ccf0eeaf
initial commit
2015-12-15 02:00:24 +00:00