Patrick Schleizer
|
db301dfd7f
|
comment
|
2022-06-29 13:02:39 -04:00 |
|
Patrick Schleizer
|
73d2ada0de
|
comment
|
2022-06-29 13:02:01 -04:00 |
|
Patrick Schleizer
|
295811a88f
|
improvements
|
2022-06-29 11:14:52 -04:00 |
|
Patrick Schleizer
|
cfae7de6a8
|
lintian
|
2022-06-29 09:58:37 -04:00 |
|
Patrick Schleizer
|
024d52a67e
|
improve usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh
|
2022-06-29 09:52:53 -04:00 |
|
Patrick Schleizer
|
29253004b6
|
minor
|
2022-06-29 09:38:18 -04:00 |
|
Patrick Schleizer
|
6f19af1542
|
add shebang /bin/sh
to fix lintian warning
security-misc: executable-not-elf-or-script usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh
|
2022-06-29 09:35:08 -04:00 |
|
Patrick Schleizer
|
38cdf2722b
|
- Wipe LUKS Disk Encryption Key for Root Disk from RAM during Shutdown to defeat Cold Boot Attacks
- Confirm in console output if encrypted mounts (root disk) is unmounted. (Because that is a pre-condition for wiping the LUKS full disk encryption key from RAM.)
Thanks to @friedy10!
https://github.com/friedy10/dracut/tree/master/modules.d/40sdmem
https://forums.whonix.org/t/is-ram-wipe-possible-inside-whonix-cold-boot-attack-defense/5596
|
2022-06-29 09:32:55 -04:00 |
|
Patrick Schleizer
|
d7dd188651
|
remove unicode
|
2022-06-08 09:27:02 -04:00 |
|
Patrick Schleizer
|
55d16e1602
|
remove unicode
|
2022-06-08 09:04:03 -04:00 |
|
Kuri Schlarb
|
2bdda9d0a0
|
permssion-hardening: Do not skip config file lines without trailing newline (ancient bash bug)
|
2022-06-07 08:18:05 +00:00 |
|
Kuri Schlarb
|
9fd8e1c9b0
|
permission-hardening: Fix issue with pipelining failures causing incorrect user/group lookup results
|
2022-06-07 08:03:56 +00:00 |
|
Patrick Schleizer
|
2d37e3a1af
|
copyright
|
2022-05-20 14:46:38 -04:00 |
|
Patrick Schleizer
|
7651308787
|
Merge pull request #103 from 0xC0ncord/bugfix/selinuxfs_restrictions
hide-hardware-info: re-enable restrictions on sysfs when using SELinux
|
2022-05-19 19:39:42 -04:00 |
|
Patrick Schleizer
|
bb0307290b
|
update link
|
2022-04-16 14:18:35 -04:00 |
|
0xC0ncord
|
93efa506da
|
hide-hardware-info: disable selinux whitelist by default
|
2022-03-17 11:41:57 -04:00 |
|
Patrick Schleizer
|
b0a0004a85
|
output
|
2022-02-10 13:47:10 -05:00 |
|
Patrick Schleizer
|
4f6f588fb5
|
fix, skip deletion of system.map files on read-only filesystems
This is required for Qubes /lib/modules read-only implementation at time of writing.
Thanks to @marmarek for the bug report!
https://forums.whonix.org/t/remove-system-map-cannot-work-lib-modules-is-mounted-read-only/13324
|
2022-02-10 13:44:55 -05:00 |
|
0xC0ncord
|
4172232eb7
|
hide-hardware-info: make indentation consistent
|
2021-10-10 16:03:40 -04:00 |
|
0xC0ncord
|
060d7d890a
|
hide-hardware-info: re-enable restrictions on sysfs when using SELinux
When using SELinux, restrict the parts of sysfs explicitly to ensure
restrictions are working as expected.
|
2021-10-10 16:03:07 -04:00 |
|
Patrick Schleizer
|
be8c10496f
|
fix faillock implementation
dovecot / ssh are exempted
|
2021-09-01 15:55:53 -04:00 |
|
Patrick Schleizer
|
8b104f544a
|
fix, add sshd to pam_service_exclusion_list
to avoid faillock
|
2021-09-01 15:45:36 -04:00 |
|
Patrick Schleizer
|
db43cedcfd
|
LANG=C str_replace
|
2021-08-22 05:23:24 -04:00 |
|
Patrick Schleizer
|
582492d6d8
|
port from pam_tally2 to pam_faillock
since pam_tally2 was deprecated upstream
|
2021-08-10 17:13:00 -04:00 |
|
Patrick Schleizer
|
2bf0e7471c
|
port from pam_tally2 to pam_faillock
since pam_tally2 was deprecated upstream
|
2021-08-10 15:11:01 -04:00 |
|
Patrick Schleizer
|
2aea74bd71
|
renamed: usr/libexec/security-misc/pam_tally2-info -> usr/libexec/security-misc/pam-info
renamed: usr/libexec/security-misc/pam_tally2_not_if_x -> usr/libexec/security-misc/pam_faillock_not_if_x
renamed: usr/share/pam-configs/tally2-security-misc -> usr/share/pam-configs/faillock-security-misc
|
2021-08-10 15:06:04 -04:00 |
|
Patrick Schleizer
|
50bdd097df
|
move /usr/lib/security-misc to /usr/libexec/security-misc as per lintian FHS
|
2021-08-03 12:56:31 -04:00 |
|
Patrick Schleizer
|
4fadaad8c0
|
lintian FHS
|
2021-08-03 12:52:10 -04:00 |
|
Patrick Schleizer
|
6607c1e4bd
|
move /usr/lib/helper-scripts and /usr/lib/curl-scripts to /usr/libexec/helper-scripts as per lintian FHS
|
2021-08-03 12:48:57 -04:00 |
|
Patrick Schleizer
|
240ec7672a
|
replace no longer required /usr/lib/security-misc/apt-get-wrapper with apt-get --error-on=any
|
2021-08-03 12:19:26 -04:00 |
|
Patrick Schleizer
|
8eae635668
|
update lintian tag name
|
2021-08-03 11:51:31 -04:00 |
|
Patrick Schleizer
|
bb3e65f7a8
|
bullseye
|
2021-08-03 03:25:35 -04:00 |
|
Patrick Schleizer
|
b3e34f7f43
|
comment
|
2021-07-25 11:27:07 -04:00 |
|
Patrick Schleizer
|
7e128636b3
|
improve LKRG VirtualBox host configuration
as per https://github.com/openwall/lkrg/issues/82#issuecomment-886188999
|
2021-07-25 11:26:20 -04:00 |
|
Patrick Schleizer
|
257cef24ba
|
add LKRG compatibility settings automation for VirtualBox hosts
https://github.com/openwall/lkrg/issues/82
|
2021-07-24 18:03:40 -04:00 |
|
Patrick Schleizer
|
74e39cbf69
|
pam-abort-on-locked-password: more descriptive error handling
https://forums.whonix.org/t/restrict-root-access/7658/1
|
2021-06-20 11:18:56 -04:00 |
|
Patrick Schleizer
|
a67007f4b7
|
copyright
|
2021-03-17 09:45:21 -04:00 |
|
Patrick Schleizer
|
a1819e8cab
|
comment
|
2021-03-01 09:15:44 -05:00 |
|
Kenton Groombridge
|
4db7d6be64
|
hide-hardware-info: allow unrestricting selinuxfs
On SELinux systems, the /sys/fs/selinux directory must be visible to
userspace utilities in order to function properly.
|
2021-02-06 03:02:08 -05:00 |
|
Patrick Schleizer
|
af3244741d
|
comment
|
2021-01-29 23:15:52 -05:00 |
|
Patrick Schleizer
|
b0b7f569ee
|
comment
|
2021-01-28 02:11:54 -05:00 |
|
Patrick Schleizer
|
9622f28e25
|
skip counting failed login attempts from dovecot
Failed dovecot logins should not result in account getting locked.
revert "use pam_tally2 only for login"
|
2021-01-27 05:49:34 -05:00 |
|
Patrick Schleizer
|
6757104aa4
|
use pam_tally2 only for login
to skip counting failed login attempts over ssh and mail login
|
2021-01-24 05:04:48 -05:00 |
|
Patrick Schleizer
|
c5097ed599
|
comment
|
2020-12-06 04:23:09 -05:00 |
|
Patrick Schleizer
|
c031f22995
|
SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists
`whitelists_disable_all=true`
|
2020-12-01 05:14:48 -05:00 |
|
Patrick Schleizer
|
b09cc0de6a
|
Revert "SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists"
This reverts commit 36a471ebce .
|
2020-12-01 05:10:26 -05:00 |
|
Patrick Schleizer
|
36a471ebce
|
SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists
`whitelists_disable_all=true`
|
2020-12-01 05:02:34 -05:00 |
|
Patrick Schleizer
|
28a326a8a1
|
add feature /usr/lib/security-misc/permission-hardening-undo /path/to/filename
to allow removing 1 SUID
fix, show INFO message if file does not exist during removal rather than ERROR
|
2020-11-28 05:31:12 -05:00 |
|
Patrick Schleizer
|
abae787186
|
usability: pam abort when attempting to login to root when root password is locked
|
2020-11-05 06:47:16 -05:00 |
|
Patrick Schleizer
|
581e31af81
|
comment
|
2020-11-05 06:46:57 -05:00 |
|