Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity
1,951 Commits 2 Branches 291 Tags 8.2 MiB
e15596e7af
Commit Graph

95 Commits

Author SHA1 Message Date
Patrick Schleizer
c86c83cef7
formatting 
https://github.com/Kicksecure/security-misc/issues/157
 2023-12-25 10:31:58 -05:00
Patrick Schleizer
971ff687b1
do not mount /dev/cdrom by default 
https://github.com/Kicksecure/security-misc/issues/157
 2023-12-25 10:30:35 -05:00
Patrick Schleizer
9fce67fcd9
remove superfluous, broken remount mount option 
https://github.com/Kicksecure/security-misc/issues/157
 2023-12-25 10:28:47 -05:00
Patrick Schleizer
40fd8cb608
no nofail mount option to avoid breaking the boot of a system 
unit testing belongs elsewhere

https://github.com/Kicksecure/security-misc/issues/157
 2023-12-25 09:51:09 -05:00
Patrick Schleizer
4aa645f29f
comment 
https://github.com/Kicksecure/security-misc/issues/157
 2023-12-25 09:46:33 -05:00
Patrick Schleizer
2b7aeedb4a
mount /dev/cdrom to /mnt/cdrom (instead of /mnt/cdrom0) and 
nodev,nosuid,noexec

as per:
https://www.debian.org/doc/manuals/securing-debian-manual/ch04s10.en.html

https://github.com/Kicksecure/security-misc/issues/157
 2023-12-25 09:44:51 -05:00
Patrick Schleizer
0d9e9780da
formatting 
https://github.com/Kicksecure/security-misc/issues/157
 2023-12-25 09:37:14 -05:00
Patrick Schleizer
00f9ab4394
/dev devtmpfs 
https://github.com/Kicksecure/security-misc/issues/157
 2023-12-25 09:36:05 -05:00
Patrick Schleizer
55709b3aa0
/tmp tmpfs 
https://github.com/Kicksecure/security-misc/issues/157
 2023-12-25 09:30:57 -05:00
Patrick Schleizer
b0dd967611
usrmerge 
https://github.com/Kicksecure/security-misc/issues/157
 2023-12-25 09:28:08 -05:00
Patrick Schleizer
269fada14a
combine bind lines 
https://github.com/Kicksecure/security-misc/issues/157
 2023-12-25 09:25:14 -05:00
Patrick Schleizer
039de1dc9b
add hardened fstab /usr/share/doc/security-misc/fstab-vm 
to the documentation folder as an example

not directly used by security-misc

will later be used by Kicksecure VM build process

https://github.com/Kicksecure/security-misc/issues/157
 2023-12-12 11:50:11 -05:00
Patrick Schleizer
3bc831a1f7
lintian 2023-11-06 16:27:29 -05:00
Patrick Schleizer
b85d48eb83
do not change default umask for root 
since this causes permission issues in `/etc/`

https://github.com/Kicksecure/security-misc/pull/151
 2023-11-03 10:31:59 -04:00
Patrick Schleizer
07540db90d
Revert "Revert "set default umask to 027"" 
This reverts commit f8913ceb2e.
 2023-11-03 09:45:12 -04:00
Patrick Schleizer
f8913ceb2e
Revert "set default umask to 027" 
This reverts commit cd216095eb.
 2023-11-03 09:43:44 -04:00
Patrick Schleizer
cd216095eb
set default umask to 027 
using package libpam-umask

https://www.debian.org/doc/manuals/securing-debian-manual/ch04s11.en.html#id-1.5.14.19

https://github.com/Kicksecure/security-misc/pull/151
 2023-11-03 09:12:24 -04:00
Patrick Schleizer
a7629b98cf
fix 2023-10-22 15:40:49 -04:00
Patrick Schleizer
25760f7024
bookworm 2023-06-13 08:34:41 +00:00
Raja Grewal
7a4212dd76
Update copyright 2023-03-30 17:08:47 +11:00
Patrick Schleizer
b87d9eb865
lintian 2023-01-24 07:08:13 -05:00
Patrick Schleizer
d31c17ea04
fix 2023-01-07 14:31:14 -05:00
Patrick Schleizer
41d116aa2f
lintian 2023-01-07 14:30:12 -05:00
Patrick Schleizer
8b584c570a
lintian 2022-06-29 16:06:22 -04:00
Patrick Schleizer
1c51d15649
lintian 2022-06-29 15:23:53 -04:00
Patrick Schleizer
6eba53767f
lintian 2022-06-29 14:17:52 -04:00
Patrick Schleizer
cfae7de6a8
lintian 2022-06-29 09:58:37 -04:00
Patrick Schleizer
2d37e3a1af
copyright 2022-05-20 14:46:38 -04:00
Patrick Schleizer
be8c10496f
fix faillock implementation 
dovecot / ssh are exempted
 2021-09-01 15:55:53 -04:00
Patrick Schleizer
582492d6d8
port from pam_tally2 to pam_faillock 
since pam_tally2 was deprecated upstream
 2021-08-10 17:13:00 -04:00
Patrick Schleizer
2bf0e7471c
port from pam_tally2 to pam_faillock 
since pam_tally2 was deprecated upstream
 2021-08-10 15:11:01 -04:00
Patrick Schleizer
2aea74bd71
renamed: usr/libexec/security-misc/pam_tally2-info -> usr/libexec/security-misc/pam-info 
renamed:    usr/libexec/security-misc/pam_tally2_not_if_x -> usr/libexec/security-misc/pam_faillock_not_if_x
renamed:    usr/share/pam-configs/tally2-security-misc -> usr/share/pam-configs/faillock-security-misc
 2021-08-10 15:06:04 -04:00
Patrick Schleizer
50bdd097df
move /usr/lib/security-misc to /usr/libexec/security-misc as per lintian FHS 2021-08-03 12:56:31 -04:00
Patrick Schleizer
8eae635668
update lintian tag name 2021-08-03 11:51:31 -04:00
Patrick Schleizer
b3e34f7f43
comment 2021-07-25 11:27:07 -04:00
Patrick Schleizer
7e128636b3
improve LKRG VirtualBox host configuration 
as per https://github.com/openwall/lkrg/issues/82#issuecomment-886188999
 2021-07-25 11:26:20 -04:00
Patrick Schleizer
257cef24ba
add LKRG compatibility settings automation for VirtualBox hosts 
https://github.com/openwall/lkrg/issues/82
 2021-07-24 18:03:40 -04:00
Patrick Schleizer
a67007f4b7
copyright 2021-03-17 09:45:21 -04:00
Patrick Schleizer
9622f28e25
skip counting failed login attempts from dovecot 
Failed dovecot logins should not result in account getting locked.

revert "use pam_tally2 only for login"
 2021-01-27 05:49:34 -05:00
Patrick Schleizer
6757104aa4
use pam_tally2 only for login 
to skip counting failed login attempts over ssh and mail login
 2021-01-24 05:04:48 -05:00
Patrick Schleizer
5c81e1f23f
import from anon-gpg-conf 2020-04-06 09:25:45 -04:00
Patrick Schleizer
2ceea8d1fe
update copyright year 2020-04-01 08:49:59 -04:00
Patrick Schleizer
300f010fc2
increase priority of pam-abort-on-locked-password-security-misc 
since it has its own user help output

so it shows before pam tally2 info

to avoid duplicate non-applicable help text
 2019-12-12 09:29:00 -05:00
Patrick Schleizer
729fa26eca
use pam_acccess only for /etc/pam.d/login 
remove "Allow members of group 'ssh' to login."
remove "+:ssh:ALL EXCEPT LOCAL"
 2019-12-12 09:00:08 -05:00
Patrick Schleizer
c192644ee3
security-misc /usr/share/pam-configs/permission-lockdown-security-misc is no longer required, removed. 
Thereby fix apparmor issue.

> Dec 08 09:47:50 host audit[3232]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=3232 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
> Dec 08 09:47:50 host sudo[3232]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied

It is no longer required, because...

existing linux user accounts:

* Get permission lock down because security-misc `debian/security-misc.postinst` calls `/usr/lib/security-misc/permission-lockdown`.

new linux user accounts (created at first boot):

* security-misc `/usr/share/pam-configs/mkhomedir-security-misc` pam mkhomedir sets secure permissions using `umask=027`.
 2019-12-08 05:21:35 -05:00
Patrick Schleizer
c7c65fe4e7
higher priority usr/share/pam-configs/tally2-security-misc 
so it can give info before pam stack gets aborted by other pam modules
 2019-12-08 03:15:53 -05:00
Patrick Schleizer
19cc6d7555
pam description 2019-12-08 02:10:43 -05:00
Patrick Schleizer
b871421a54
usr/share/pam-configs/console-lockdown -> usr/share/pam-configs/console-lockdown-security-misc 2019-12-08 01:57:43 -05:00
Patrick Schleizer
6479c883bf
Console Lockdown. 
Allow members of group 'console' to use tty1 to tty7. Everyone else except
members of group 'console-unrestricted' are restricted from using console
using ancient, unpopular login methods such as using /bin/login over networks,
which might be exploitable. (CVE-2001-0797)

Not enabled by default in this package since this package does not know which
users shall be added to group 'console'.

In new Whonix builds, user 'user" will be added to group 'console' and
pam console-lockdown enabled by package anon-base-files.

/usr/share/pam-configs/console-lockdown

/etc/security/access-security-misc.conf

https://forums.whonix.org/t/etc-security-hardening/8592
 2019-12-07 05:40:20 -05:00
Patrick Schleizer
aa5451c8cd
Lock user accounts after 50 rather than 100 failed login attempts. 
https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/19
 2019-11-25 01:39:53 -05:00