Patrick Schleizer
|
e83ec79a25
|
enable usr/share/pam-configs/mkhomedir-security-misc by default
|
2019-08-11 10:30:51 +00:00 |
|
Patrick Schleizer
|
1eb806a03e
|
pam_mkhomedir.so umask=006
|
2019-08-11 10:29:49 +00:00 |
|
Patrick Schleizer
|
c50eb3c9b0
|
add usr/share/pam-configs/mkhomedir-security-misc based on
/usr/share/pam-configs/mkhomedir
|
2019-08-11 10:28:55 +00:00 |
|
Patrick Schleizer
|
a2fa18c381
|
pam_tally2.so deny=100
during testing, due to issues
d17e25272b
https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/12
|
2019-08-10 07:07:28 -04:00 |
|
Patrick Schleizer
|
d17e25272b
|
effectively (not directly) add "required pam_tally2.so debug" to /etc/pam.d/common-account
This is required because otherwise something like "sudo bash" would count as a
failed login for pam_tally2 even though it was successful.
https://bugzilla.redhat.com/show_bug.cgi?id=707660
https://forums.whonix.org/t/restrict-root-access/7658
|
2019-08-10 06:06:39 -04:00 |
|
Patrick Schleizer
|
0f896a9d8d
|
add onerr=fail audit to pam_tally2
|
2019-08-10 06:05:37 -04:00 |
|
Patrick Schleizer
|
e076470f68
|
renamed: usr/share/pam-configs/usergroups -> usr/share/pam-configs/usergroups-security-misc
|
2019-08-01 11:04:58 +00:00 |
|
Patrick Schleizer
|
830111e99a
|
split usr/share/pam-configs/security-misc
into
usr/share/pam-configs/tally2-security-misc
usr/share/pam-configs/wheel-security-misc
|
2019-08-01 11:04:22 +00:00 |
|
Patrick Schleizer
|
89d32402b2
|
fix, do not use "," inside /usr/share/pam-configs files
|
2019-07-31 14:52:29 -04:00 |
|
Patrick Schleizer
|
cf90668756
|
lock user accounts after 5 failed authentication attempts using pam_tally2
|
2019-07-31 03:25:02 -04:00 |
|
Patrick Schleizer
|
3e29761560
|
debug at the end
|
2019-07-31 03:17:06 -04:00 |
|
Patrick Schleizer
|
5cdb3edb32
|
usr/share/pam-configs/wheel -> usr/share/pam-configs/security-misc
|
2019-07-31 03:16:41 -04:00 |
|
Patrick Schleizer
|
3f9437f1ec
|
Revert "set back to default group "root" rather than group "sudo" membership required to use su"
This reverts commit 2f276cdb10 .
|
2019-07-17 14:25:19 -04:00 |
|
Patrick Schleizer
|
2f276cdb10
|
set back to default group "root" rather than group "sudo" membership required to use su
since root login will be locked by default anyhow
Thanks to @madaidan for providing the rationale!
https://forums.whonix.org/t/restrict-root-access/7658/42
|
2019-07-15 08:44:28 -04:00 |
|
Patrick Schleizer
|
6d1e8ac9a4
|
description
|
2019-07-14 11:16:49 +00:00 |
|
Patrick Schleizer
|
ffb61f43ea
|
fix, add 'group=sudo' and 'debug' for debugging
https://forums.whonix.org/t/restrict-root-access/7658
|
2019-07-14 11:11:59 +00:00 |
|
Patrick Schleizer
|
6af2d7facb
|
copyright
|
2019-07-13 18:12:25 +00:00 |
|
Patrick Schleizer
|
75f0ca565d
|
set -e
|
2019-07-13 18:12:04 +00:00 |
|
Patrick Schleizer
|
c389e13e1a
|
use pre.bsh
|
2019-07-13 17:59:49 +00:00 |
|
Patrick Schleizer
|
e9eb38b5db
|
formatting
|
2019-07-13 15:04:09 +00:00 |
|
Patrick Schleizer
|
cb668459e8
|
port umask from /etc/pam.d to /usr/share/pam-configs implementation
https://forums.whonix.org/t/change-default-umask/7416
|
2019-07-13 10:35:10 -04:00 |
|
Patrick Schleizer
|
69b97981f3
|
convert etc/pam.d/su.security-misc to usr/share/pam-configs/wheel
https://forums.whonix.org/t/restrict-root-access/7658/32
|
2019-07-13 12:33:51 +00:00 |
|
Patrick Schleizer
|
bea98474ba
|
chmod +x usr/lib/security-misc/panic-on-oops
|
2019-07-11 07:07:21 +00:00 |
|
madaidan
|
52c61011d4
|
Create panic-on-oops
|
2019-07-08 22:58:56 +00:00 |
|
Patrick Schleizer
|
a978fe1000
|
chmod +x usr/lib/security-misc/remove-system.map
|
2019-06-28 07:17:35 +00:00 |
|
madaidan
|
9392c8deb2
|
Update remove-system.map
|
2019-06-26 15:03:54 +00:00 |
|
madaidan
|
8ef0db17e6
|
Use a for loop to detect if System.map exists
|
2019-06-26 12:59:45 +00:00 |
|
madaidan
|
382e336f69
|
Create remove-system.map
|
2019-06-25 19:20:27 +00:00 |
|
Patrick Schleizer
|
f9acd890a7
|
lintian
|
2019-06-09 10:24:24 +00:00 |
|
Patrick Schleizer
|
c040117fe4
|
lintian
|
2019-05-12 10:50:34 +00:00 |
|
Patrick Schleizer
|
6ba1fb70d2
|
port to debian buster
|
2019-04-05 14:06:00 -04:00 |
|
Patrick Schleizer
|
811dcee2cb
|
fix lintian warning
|
2019-04-05 09:26:18 -04:00 |
|
Patrick Schleizer
|
5b3fc2f6b9
|
update copyright
|
2018-01-29 15:22:05 +00:00 |
|
Patrick Schleizer
|
c3b6a44e97
|
update copyright
|
2018-01-29 15:15:17 +00:00 |
|
Patrick Schleizer
|
ff28f5932c
|
update copyright
|
2018-01-29 15:09:42 +00:00 |
|
Patrick Schleizer
|
f6bc188485
|
comment
|
2017-02-28 15:22:54 +01:00 |
|
Patrick Schleizer
|
18e23af784
|
cleanup
|
2017-02-27 23:59:37 +00:00 |
|
Patrick Schleizer
|
6195450eb2
|
No longer ignore duplicate apt sources in apt-get-wrapper.
No longer acceptable because these generate lots of noise in the terminal.
|
2017-02-27 23:57:04 +00:00 |
|
Patrick Schleizer
|
191918027c
|
adjust apt-get-wrapper for Debian stretch's apt-get
|
2017-02-27 23:43:02 +00:00 |
|
Patrick Schleizer
|
2130b4c654
|
use python rather than unbuffer
because unbuffer eats exit code when process is killed
|
2017-02-27 23:16:32 +00:00 |
|
Patrick Schleizer
|
cc351165dc
|
apt-get-wrapper:
- fix exit code handling
- code simplification
|
2017-02-27 19:36:38 +00:00 |
|
Patrick Schleizer
|
5653b7732a
|
fix, show progress during apt-get-wrapper
fix, propagate signals to apt-get child process
|
2017-02-26 23:57:17 +00:00 |
|
Patrick Schleizer
|
49cde21078
|
Whonix 14 KDE plasma 5 fixes
https://phabricator.whonix.org/T633
|
2017-02-21 19:54:41 +00:00 |
|
Patrick Schleizer
|
5ba2a5b6ff
|
disable previews in nautilus by default for better security
copied solution by @unman
https://github.com/QubesOS/qubes-issues/issues/1108
https://github.com/QubesOS/qubes-core-agent-linux/pull/39
https://phabricator.whonix.org/T500
|
2017-02-19 22:25:28 +00:00 |
|
Patrick Schleizer
|
bddbba84a6
|
"$@"
|
2017-02-14 17:30:31 +00:00 |
|
Patrick Schleizer
|
9b0d3e34fc
|
add usr/lib/security-misc/apt-get-update-sanity-test
a CVE-2016-1252 sanity test script
|
2017-02-14 02:37:08 +00:00 |
|
Patrick Schleizer
|
90f175e117
|
double apt-get-update wrapper timeout from 120 to 240 seconds
since it takes a bit longer than 120 seconds for me on a fast connection
|
2017-02-08 14:26:26 +00:00 |
|
Patrick Schleizer
|
0cf6524f0f
|
apt-get-update: implement SIGINIT trap; hide 'ps' output
|
2016-12-25 02:33:44 +00:00 |
|
Patrick Schleizer
|
c4089d8d40
|
update path to /usr/lib/security-misc/apt-get-wrapper
|
2016-12-25 01:36:04 +00:00 |
|
Patrick Schleizer
|
7b01fb9341
|
remove obsolete comments
|
2016-12-25 01:35:17 +00:00 |
|
Patrick Schleizer
|
8160cfe1d7
|
moved apt-get-update and apt-get-wrapper from whonixcheck to security-misc
|
2016-12-25 01:29:31 +00:00 |
|
Patrick Schleizer
|
d3ccf0eeaf
|
initial commit
|
2015-12-15 02:00:24 +00:00 |
|