security-misc

mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00

Author	SHA1	Message	Date
Patrick Schleizer	2e833b40a1	prevent "wait: pid 55 is not a child of this shell"	2023-01-07 16:43:09 -05:00
Patrick Schleizer	3777ecba85	comment	2023-01-07 16:34:19 -05:00
Patrick Schleizer	e0ded5e69d	comment	2023-01-07 16:34:04 -05:00
Patrick Schleizer	996c6af2d8	lower debugging	2023-01-07 16:31:23 -05:00
Patrick Schleizer	4fca8f4225	comment	2023-01-07 16:28:11 -05:00
Patrick Schleizer	2bd9cc5bc1	output	2023-01-07 16:08:12 -05:00
Patrick Schleizer	2456fed361	output	2023-01-07 16:00:42 -05:00
Patrick Schleizer	c0b5fea680	protect against wipe RAM reboot loop	2023-01-07 15:59:52 -05:00
Patrick Schleizer	91aedb234a	output	2023-01-07 15:36:36 -05:00
Patrick Schleizer	368ad8e636	cleanup	2023-01-07 15:36:05 -05:00
Patrick Schleizer	d8bf40f7a2	refactoring	2023-01-07 15:35:45 -05:00
Patrick Schleizer	166a6863a1	output	2023-01-07 15:35:15 -05:00
Patrick Schleizer	20596488be	long options	2023-01-07 15:34:20 -05:00
Patrick Schleizer	b0630f58c1	debugging	2023-01-07 15:24:05 -05:00
Patrick Schleizer	dde01f3663	long options	2023-01-07 15:23:23 -05:00
Patrick Schleizer	6e0926eece	long options	2023-01-07 15:22:58 -05:00
Patrick Schleizer	51a5f68c76	refactoring	2023-01-07 15:22:25 -05:00
Patrick Schleizer	83800fcb4f	--no-legend	2023-01-07 15:18:58 -05:00
Patrick Schleizer	822cf64618	output	2023-01-07 15:13:36 -05:00
Patrick Schleizer	bb2f0a3c44	minor	2023-01-07 15:12:15 -05:00
Patrick Schleizer	c3a822af0e	test if readable	2023-01-07 15:09:25 -05:00
Patrick Schleizer	227871c12c	output	2023-01-07 15:07:34 -05:00
Patrick Schleizer	c09f4da192	code simplification	2023-01-07 15:06:56 -05:00
Patrick Schleizer	01fee8a7b4	refactoring	2023-01-07 15:06:31 -05:00
Patrick Schleizer	f675f8da0d	quotes	2023-01-07 15:05:58 -05:00
Patrick Schleizer	d0daf75db3	quotes	2023-01-07 15:05:24 -05:00
Patrick Schleizer	8bcf7e3c23	minor	2023-01-07 15:04:57 -05:00
Patrick Schleizer	2cc3c6c59c	lower debugging	2023-01-07 15:04:42 -05:00
Patrick Schleizer	10932bb5d8	minor	2023-01-07 15:04:23 -05:00
Patrick Schleizer	c88e95ce33	output	2023-01-07 15:04:07 -05:00
Patrick Schleizer	06034d2e4f	fix	2023-01-07 15:03:06 -05:00
Patrick Schleizer	059ebb212d	comment	2023-01-07 14:35:30 -05:00
Patrick Schleizer	c0304ec029	minor	2023-01-07 14:35:09 -05:00
Patrick Schleizer	d31c17ea04	fix	2023-01-07 14:31:14 -05:00
Patrick Schleizer	41d116aa2f	lintian	2023-01-07 14:30:12 -05:00
Patrick Schleizer	e83ba18553	minor	2023-01-07 14:29:12 -05:00
Patrick Schleizer	bb121e52bb	chmod +x	2023-01-07 14:27:22 -05:00
Patrick Schleizer	d37b19fb6b	comment	2023-01-07 12:55:05 -05:00
Patrick Schleizer	0367250dc7	comment	2023-01-07 12:54:35 -05:00
Patrick Schleizer	c1df2fd601	comment	2023-01-07 12:52:14 -05:00
Patrick Schleizer	c2b20603fd	output	2023-01-07 12:49:18 -05:00
Patrick Schleizer	999a82ed94	output	2023-01-07 12:46:21 -05:00
Patrick Schleizer	2860560edb	minor	2023-01-07 12:43:07 -05:00
Friedrich Doku	b8e82fffca	Get rid of /dev/kmsg	2023-01-07 11:31:02 -05:00
Friedrich Doku	78a4fad667	Change echo to info. Included more reliable way of getting initrd and kernel. Allow user custom kexec	2023-01-07 11:14:31 -05:00
Friedrich Doku	8da3b9c40c	fix last line	2023-01-06 21:40:17 -05:00
Friedrich Doku	7cf51a1b43	Checking job queue instead of dbus	2023-01-06 21:32:57 -05:00
Friedrich Doku	4b7053a635	Update wipe-ram.sh	2023-01-06 13:53:28 -05:00
Friedrich Doku	779ad24b57	Update wipe-ram-needshutdown.sh	2023-01-06 13:53:18 -05:00
Friedrich Doku	d45ba826bc	Update module-setup.sh	2023-01-06 13:53:10 -05:00
Friedrich Doku	b3d4314a06	Update wipe-ram.sh	2023-01-06 13:52:51 -05:00
Friedrich Doku	3387725017	Update wipe-ram-needshutdown.sh	2023-01-06 13:52:42 -05:00
Friedrich Doku	ec68ee6ded	Update module-setup.sh	2023-01-06 13:52:32 -05:00
Friedrich Doku	62dcdcf764	Update cold-boot-attack-defense-kexec-prepare	2023-01-06 13:51:45 -05:00
Friedrich Doku	14abfbfccd	Update cold-boot-attack-defense-kexec-prepare	2023-01-06 13:48:03 -05:00
Friedrich Doku	37a5264696	Update wipe-ram.sh	2023-01-06 13:47:34 -05:00
Friedrich Doku	7ac45acd0f	Update wipe-ram-needshutdown.sh	2023-01-06 13:47:23 -05:00
Friedrich Doku	114a37fcd3	Update module-setup.sh	2023-01-06 13:47:14 -05:00
Friedrich Doku	1eeb32b7b9	Update wipe-ram.sh	2023-01-06 13:47:01 -05:00
Friedrich Doku	c5accc5ad1	Update wipe-ram-needshutdown.sh	2023-01-06 13:46:51 -05:00
Friedrich Doku	f9ebc3cfa8	Update module-setup.sh	2023-01-06 13:46:40 -05:00
Friedrich Doku	28687092ef	Update cold-boot-attack-defense-kexec-prepare	2023-01-06 12:52:36 -05:00
Friedrich Doku	d67d3c1d7d	Update wipe-ram.sh	2023-01-06 12:51:18 -05:00
Friedrich Doku	7fa64d6842	Update wipe-ram-needshutdown.sh	2023-01-06 12:50:58 -05:00
Friedrich Doku	14c7239681	Update module-setup.sh	2023-01-06 12:50:42 -05:00
Friedrich Doku	73913ea5af	Added checks	2023-01-06 12:49:34 -05:00
Friedrich Doku	a7015f4ddf	added files	2023-01-06 10:50:34 -05:00
Patrick Schleizer	6d7a782624	fix	2022-11-24 07:21:46 -05:00
Patrick Schleizer	421f03ae9e	fix	2022-11-24 07:20:56 -05:00
Patrick Schleizer	a806c782d7	fix	2022-11-24 07:00:23 -05:00
Patrick Schleizer	39b35ef9ac	fix	2022-11-24 06:49:15 -05:00
Patrick Schleizer	d05c101721	debugging	2022-11-24 06:31:24 -05:00
Patrick Schleizer	36454c2dbf	debugging	2022-11-24 06:25:47 -05:00
Patrick Schleizer	e06b173a1b	debugging	2022-11-24 06:24:14 -05:00
Patrick Schleizer	497b5b4544	fix	2022-11-24 06:14:04 -05:00
Patrick Schleizer	e5255a630a	pam-info: support non-root environments (such as during graphical display manager login and xscreensaver)	2022-11-22 05:57:30 -05:00
Patrick Schleizer	09e6af5c08	pam-info refactoring	2022-11-16 02:01:23 -05:00
Patrick Schleizer	caf0099064	pam-info refactoring	2022-11-16 02:00:32 -05:00
Patrick Schleizer	487f63bb01	comment	2022-11-16 01:56:01 -05:00
Patrick Schleizer	f59f959a8d	pam-info fix	2022-11-16 01:55:14 -05:00
Patrick Schleizer	ae113442a1	pam-info refactoring	2022-11-16 01:49:45 -05:00
Patrick Schleizer	bb6b509d06	pam-info refactoring	2022-11-16 01:44:21 -05:00
Patrick Schleizer	e5d7ab7082	comment	2022-11-15 12:44:12 -05:00
Patrick Schleizer	23b936b573	also support /usr/local/etc/pam-info-debug	2022-11-15 12:31:14 -05:00
Patrick Schleizer	95487346db	pam-info: create debug log file ~/pam-info-debug.txt when file /etc/pam-info-debug exists	2022-11-15 12:29:41 -05:00
Patrick Schleizer	2872c2ab52	comments	2022-11-15 12:00:59 -05:00
Patrick Schleizer	6033de7815	debugging	2022-11-15 11:58:50 -05:00
Patrick Schleizer	272a33fe2c	addgroup -> adduser fix	2022-08-13 11:35:25 -04:00
Patrick Schleizer	82da4ed18f	comments	2022-07-28 09:56:24 -04:00
Patrick Schleizer	a6bee1493d	cold-boot-attack-defense wait longer to make messages readable by user	2022-07-28 09:55:12 -04:00
Patrick Schleizer	053142cdb5	fix	2022-07-26 10:00:21 -04:00
Patrick Schleizer	3b844eaab2	output	2022-07-09 11:42:11 -04:00
Patrick Schleizer	73d2c9d921	output	2022-07-09 11:40:15 -04:00
Patrick Schleizer	adfdac6dea	output	2022-07-09 11:40:01 -04:00
Patrick Schleizer	1df2cfd1ad	comment	2022-07-09 11:38:37 -04:00
Patrick Schleizer	fede41e6e0	fix	2022-07-09 11:38:04 -04:00
Krish-sysadmin	e5f8004a94	Update hide-hardware-info	2022-07-05 03:37:40 +02:00
Patrick Schleizer	69af8be7b8	drop_caches before and after sdmem	2022-07-02 19:10:55 -04:00
Patrick Schleizer	67bdd58bf2	sync	2022-07-02 19:07:06 -04:00
Patrick Schleizer	973f117aa6	wipe RAM at shutdown: Ensure any remaining disk cache is erased by Linux' memory poisoning by running: `echo 3 > /proc/sys/vm/drop_caches` Inspired by Tails: https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/usr/local/lib/initramfs-pre-shutdown-hook	2022-07-02 18:12:36 -04:00
Patrick Schleizer	95187bd357	fix	2022-07-02 17:21:33 -04:00
Patrick Schleizer	148a050468	fix	2022-07-02 16:03:45 -04:00
Patrick Schleizer	82e7863d5b	improvement	2022-07-02 16:02:28 -04:00
Patrick Schleizer	1144b39e5e	debugging	2022-07-02 15:50:59 -04:00
Patrick Schleizer	c29b21c08a	output	2022-07-02 15:45:19 -04:00
Patrick Schleizer	d34fe21963	fix	2022-07-02 15:32:42 -04:00
Patrick Schleizer	32fdcf522b	- introduce `wiperam=skip` kernel parameter to skip wipe ram - introduce `wiperam=force` kernel parameter to force wipe ram inside VMs	2022-06-30 14:47:45 -04:00
Patrick Schleizer	036f518ddc	improvement	2022-06-30 13:56:29 -04:00
Patrick Schleizer	0e2fae2b69	skip ram wipe inside VMs https://forums.whonix.org/t/is-ram-wipe-possible-inside-whonix-cold-boot-attack-defense/5596/40	2022-06-30 13:50:18 -04:00
Patrick Schleizer	e06405c7be	undo	2022-06-29 16:56:16 -04:00
Patrick Schleizer	1b97d9cb76	fix	2022-06-29 16:30:31 -04:00
Patrick Schleizer	92c543e71f	output	2022-06-29 16:24:52 -04:00
Patrick Schleizer	d4161b2748	output	2022-06-29 16:23:42 -04:00
Patrick Schleizer	1ce7b27297	improvement	2022-06-29 16:23:12 -04:00
Patrick Schleizer	8b584c570a	lintian	2022-06-29 16:06:22 -04:00
Patrick Schleizer	f5e0c1742a	credits	2022-06-29 16:02:05 -04:00
Patrick Schleizer	42e24f3c24	update file names	2022-06-29 15:54:49 -04:00
Patrick Schleizer	52aaac9b6d	rename	2022-06-29 15:53:52 -04:00
Patrick Schleizer	619bb3cf4d	rename	2022-06-29 15:53:24 -04:00
Patrick Schleizer	2a8504cf1b	move	2022-06-29 15:51:14 -04:00
Patrick Schleizer	af8b211c23	improvements	2022-06-29 15:50:20 -04:00
Patrick Schleizer	e9cd5d934b	copyright	2022-06-29 15:24:27 -04:00
Patrick Schleizer	1c51d15649	lintian	2022-06-29 15:23:53 -04:00
Patrick Schleizer	9ab81d4581	do not power off too fast so wipe ram messages can be read	2022-06-29 15:22:00 -04:00
Patrick Schleizer	19439033de	copyright	2022-06-29 15:19:56 -04:00
Patrick Schleizer	fc202ede16	delete no longer required `usr/lib/dracut/modules.d/40sdmem-security-misc/README.md`	2022-06-29 15:18:28 -04:00
Patrick Schleizer	6d3a08a936	improvements	2022-06-29 15:17:40 -04:00
Patrick Schleizer	6eba53767f	lintian	2022-06-29 14:17:52 -04:00
Patrick Schleizer	8a072437cc	ram wipe on shutdown: fix, added `need_shutdown` hook Otherwise dracut does not run on shutdown. Without `need_shutdown` file `/run/initramfs/.need_shutdown` does not get created. And without that file `/usr/lib/dracut/dracut-initramfs-restore`, which itself is started by `/lib/systemd/system/dracut-shutdown.service` does nothing.	2022-06-29 14:13:30 -04:00
Patrick Schleizer	924077e04c	verbose	2022-06-29 13:02:53 -04:00
Patrick Schleizer	db301dfd7f	comment	2022-06-29 13:02:39 -04:00
Patrick Schleizer	73d2ada0de	comment	2022-06-29 13:02:01 -04:00
Patrick Schleizer	295811a88f	improvements	2022-06-29 11:14:52 -04:00
Patrick Schleizer	cfae7de6a8	lintian	2022-06-29 09:58:37 -04:00
Patrick Schleizer	024d52a67e	improve usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh	2022-06-29 09:52:53 -04:00
Patrick Schleizer	29253004b6	minor	2022-06-29 09:38:18 -04:00
Patrick Schleizer	6f19af1542	add shebang /bin/sh to fix lintian warning security-misc: executable-not-elf-or-script usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh	2022-06-29 09:35:08 -04:00
Patrick Schleizer	38cdf2722b	- Wipe LUKS Disk Encryption Key for Root Disk from RAM during Shutdown to defeat Cold Boot Attacks - Confirm in console output if encrypted mounts (root disk) is unmounted. (Because that is a pre-condition for wiping the LUKS full disk encryption key from RAM.) Thanks to @friedy10! https://github.com/friedy10/dracut/tree/master/modules.d/40sdmem https://forums.whonix.org/t/is-ram-wipe-possible-inside-whonix-cold-boot-attack-defense/5596	2022-06-29 09:32:55 -04:00
Patrick Schleizer	d7dd188651	remove unicode	2022-06-08 09:27:02 -04:00
Patrick Schleizer	55d16e1602	remove unicode	2022-06-08 09:04:03 -04:00
Kuri Schlarb	2bdda9d0a0	permssion-hardening: Do not skip config file lines without trailing newline (ancient bash bug)	2022-06-07 08:18:05 +00:00
Kuri Schlarb	9fd8e1c9b0	permission-hardening: Fix issue with pipelining failures causing incorrect user/group lookup results	2022-06-07 08:03:56 +00:00
Patrick Schleizer	2d37e3a1af	copyright	2022-05-20 14:46:38 -04:00
Patrick Schleizer	7651308787	Merge pull request #103 from 0xC0ncord/bugfix/selinuxfs_restrictions hide-hardware-info: re-enable restrictions on sysfs when using SELinux	2022-05-19 19:39:42 -04:00
Patrick Schleizer	bb0307290b	update link	2022-04-16 14:18:35 -04:00
0xC0ncord	93efa506da	hide-hardware-info: disable selinux whitelist by default	2022-03-17 11:41:57 -04:00
Patrick Schleizer	b0a0004a85	output	2022-02-10 13:47:10 -05:00
Patrick Schleizer	4f6f588fb5	fix, skip deletion of system.map files on read-only filesystems This is required for Qubes /lib/modules read-only implementation at time of writing. Thanks to @marmarek for the bug report! https://forums.whonix.org/t/remove-system-map-cannot-work-lib-modules-is-mounted-read-only/13324	2022-02-10 13:44:55 -05:00
0xC0ncord	4172232eb7	hide-hardware-info: make indentation consistent	2021-10-10 16:03:40 -04:00
0xC0ncord	060d7d890a	hide-hardware-info: re-enable restrictions on sysfs when using SELinux When using SELinux, restrict the parts of sysfs explicitly to ensure restrictions are working as expected.	2021-10-10 16:03:07 -04:00
Patrick Schleizer	be8c10496f	fix faillock implementation dovecot / ssh are exempted	2021-09-01 15:55:53 -04:00
Patrick Schleizer	8b104f544a	fix, add sshd to pam_service_exclusion_list to avoid faillock	2021-09-01 15:45:36 -04:00
Patrick Schleizer	db43cedcfd	LANG=C str_replace	2021-08-22 05:23:24 -04:00
Patrick Schleizer	582492d6d8	port from pam_tally2 to pam_faillock since pam_tally2 was deprecated upstream	2021-08-10 17:13:00 -04:00
Patrick Schleizer	2bf0e7471c	port from pam_tally2 to pam_faillock since pam_tally2 was deprecated upstream	2021-08-10 15:11:01 -04:00
Patrick Schleizer	2aea74bd71	renamed: usr/libexec/security-misc/pam_tally2-info -> usr/libexec/security-misc/pam-info renamed: usr/libexec/security-misc/pam_tally2_not_if_x -> usr/libexec/security-misc/pam_faillock_not_if_x renamed: usr/share/pam-configs/tally2-security-misc -> usr/share/pam-configs/faillock-security-misc	2021-08-10 15:06:04 -04:00
Patrick Schleizer	50bdd097df	move /usr/lib/security-misc to /usr/libexec/security-misc as per lintian FHS	2021-08-03 12:56:31 -04:00
Patrick Schleizer	4fadaad8c0	lintian FHS	2021-08-03 12:52:10 -04:00
Patrick Schleizer	6607c1e4bd	move /usr/lib/helper-scripts and /usr/lib/curl-scripts to /usr/libexec/helper-scripts as per lintian FHS	2021-08-03 12:48:57 -04:00
Patrick Schleizer	240ec7672a	replace no longer required `/usr/lib/security-misc/apt-get-wrapper` with `apt-get --error-on=any`	2021-08-03 12:19:26 -04:00
Patrick Schleizer	8eae635668	update lintian tag name	2021-08-03 11:51:31 -04:00
Patrick Schleizer	bb3e65f7a8	bullseye	2021-08-03 03:25:35 -04:00
Patrick Schleizer	b3e34f7f43	comment	2021-07-25 11:27:07 -04:00
Patrick Schleizer	7e128636b3	improve LKRG VirtualBox host configuration as per https://github.com/openwall/lkrg/issues/82#issuecomment-886188999	2021-07-25 11:26:20 -04:00
Patrick Schleizer	257cef24ba	add LKRG compatibility settings automation for VirtualBox hosts https://github.com/openwall/lkrg/issues/82	2021-07-24 18:03:40 -04:00
Patrick Schleizer	74e39cbf69	pam-abort-on-locked-password: more descriptive error handling https://forums.whonix.org/t/restrict-root-access/7658/1	2021-06-20 11:18:56 -04:00
Patrick Schleizer	a67007f4b7	copyright	2021-03-17 09:45:21 -04:00
Patrick Schleizer	a1819e8cab	comment	2021-03-01 09:15:44 -05:00
Kenton Groombridge	4db7d6be64	hide-hardware-info: allow unrestricting selinuxfs On SELinux systems, the /sys/fs/selinux directory must be visible to userspace utilities in order to function properly.	2021-02-06 03:02:08 -05:00
Patrick Schleizer	af3244741d	comment	2021-01-29 23:15:52 -05:00
Patrick Schleizer	b0b7f569ee	comment	2021-01-28 02:11:54 -05:00
Patrick Schleizer	9622f28e25	skip counting failed login attempts from dovecot Failed dovecot logins should not result in account getting locked. revert "use pam_tally2 only for login"	2021-01-27 05:49:34 -05:00
Patrick Schleizer	6757104aa4	use pam_tally2 only for login to skip counting failed login attempts over ssh and mail login	2021-01-24 05:04:48 -05:00
Patrick Schleizer	c5097ed599	comment	2020-12-06 04:23:09 -05:00
Patrick Schleizer	c031f22995	SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists `whitelists_disable_all=true`	2020-12-01 05:14:48 -05:00
Patrick Schleizer	b09cc0de6a	Revert "SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists" This reverts commit `36a471ebce`.	2020-12-01 05:10:26 -05:00
Patrick Schleizer	36a471ebce	SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists `whitelists_disable_all=true`	2020-12-01 05:02:34 -05:00
Patrick Schleizer	28a326a8a1	add feature `/usr/lib/security-misc/permission-hardening-undo /path/to/filename` to allow removing 1 SUID fix, show INFO message if file does not exist during removal rather than ERROR	2020-11-28 05:31:12 -05:00
Patrick Schleizer	abae787186	usability: pam abort when attempting to login to root when root password is locked	2020-11-05 06:47:16 -05:00
Patrick Schleizer	581e31af81	comment	2020-11-05 06:46:57 -05:00
Patrick Schleizer	dfe9b0f6c7	fix, no longer unconditionally abort pam for user accounts with locked passwords as locked user accounts might have valid sudoers exceptions Thanks to @mimp for the bug report! https://forums.whonix.org/t/pam-abort-on-locked-password-and-running-privileged-command-from-web-browser/10521	2020-11-05 06:42:47 -05:00
Patrick Schleizer	211769dc65	comment	2020-11-05 06:41:51 -05:00
Patrick Schleizer	7952139731	comment	2020-11-05 06:39:32 -05:00
Patrick Schleizer	bb72c1278d	copyright	2020-11-05 06:36:39 -05:00
Patrick Schleizer	5c81e1f23f	import from anon-gpg-conf	2020-04-06 09:25:45 -04:00
Patrick Schleizer	1188a44f47	port to python 3.7	2020-04-04 16:49:30 -04:00
Patrick Schleizer	2ceea8d1fe	update copyright year	2020-04-01 08:49:59 -04:00
Patrick Schleizer	649ec5dfa1	pkexec wrapper: fix gdebi / synaptic but at cost of checking for passwordless sudo /etc/suders /etc/sudoers.d exceptions. http://forums.whonix.org/t/cannot-use-pkexec/8129/53	2020-02-29 04:59:56 -05:00
Patrick Schleizer	9bbae903fe	remove-system.map: lower verbosity output	2020-02-15 05:29:48 -05:00
madaidan	31009f0bfa	Shred System.map files	2020-02-14 23:46:19 +00:00
Patrick Schleizer	1f6ed2cc70	add support for passing parameters to usr/lib/security-misc/apt-get-update	2020-02-03 08:55:20 -05:00
Patrick Schleizer	8627c9f76d	/usr/lib/security-misc/apt-get-update increase default timeout_after="600"	2020-01-31 12:18:02 -05:00
Patrick Schleizer	829e28aa90	/usr/lib/security-misc/apt-get-update environment variable timeout_after kill_after support	2020-01-31 12:17:07 -05:00
Patrick Schleizer	d4a37b6df2	remove-system.map: source /usr/lib/helper-scripts/pre.bsh	2020-01-24 03:18:17 -05:00
Patrick Schleizer	18041efa2f	fix pam tally2 check when read-only disk boot without ro-mode-init or grub-live	2020-01-21 10:01:17 -05:00
Patrick Schleizer	80159545a5	fix xfce4-power-manager xfpm-power-backlight-helper pkexec lxsudo popup https://forums.whonix.org/t/xfce4-power-manager-xfpm-power-backlight-helper-pkexec-lxsudo-popup/8764 do show lxqt-sudo password prompt if there is a sudoers exceptoin improved pkexec wrapper logging	2020-01-15 02:42:10 -05:00
Patrick Schleizer	d90ca4b1ad	refactoring	2020-01-14 15:12:13 -05:00
Patrick Schleizer	082f04f2d4	add logging to pkexec wrapper	2020-01-14 15:04:58 -05:00
Patrick Schleizer	5031e7cc4b	better output if trying to login with non-existing user	2019-12-31 08:18:38 -05:00
Patrick Schleizer	20697db3ee	improve console lockdown info output	2019-12-31 02:53:02 -05:00
Patrick Schleizer	788914de95	group ssh check was removed https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/27	2019-12-31 02:46:32 -05:00
Patrick Schleizer	1a0f7a7733	debugging	2019-12-29 04:43:32 -05:00
Patrick Schleizer	5271892cb1	debugging	2019-12-29 04:42:54 -05:00
Patrick Schleizer	683028049c	debugging	2019-12-29 04:41:23 -05:00
Patrick Schleizer	e3e1ff2a31	exit with error if a config line cannot be processed rather than skipping https://forums.whonix.org/t/disable-suid-binaries/7706/59	2019-12-29 04:35:46 -05:00
Patrick Schleizer	d5c99f3a60	output	2019-12-29 04:27:21 -05:00
Patrick Schleizer	04f438f75d	comment	2019-12-24 18:09:37 -05:00
Patrick Schleizer	9da0e428ed	debugging	2019-12-24 17:54:31 -05:00
Patrick Schleizer	e18ec533c3	comment	2019-12-24 17:54:02 -05:00
Patrick Schleizer	f8f2e6c704	fix disablewhitelist feature	2019-12-23 02:35:13 -05:00
Patrick Schleizer	47ddcad0c0	rename keyword whitelist to exactwhitelist add new keyword disablewhitelist refactoring	2019-12-23 02:29:47 -05:00
Patrick Schleizer	34bf245713	output	2019-12-23 01:35:45 -05:00
Patrick Schleizer	ba30e45d15	output	2019-12-23 01:32:42 -05:00
Patrick Schleizer	ee9c5742da	output	2019-12-23 01:29:48 -05:00
Patrick Schleizer	6d05359abc	output	2019-12-23 01:21:52 -05:00
Patrick Schleizer	a1e78e8515	fix needlessly re-adding entries	2019-12-23 01:20:56 -05:00
Patrick Schleizer	906b3d32e7	output	2019-12-23 01:09:57 -05:00
Patrick Schleizer	4f76867da6	lower debugging	2019-12-23 01:08:02 -05:00
Patrick Schleizer	dc6e5d8508	fix	2019-12-23 01:06:38 -05:00
Patrick Schleizer	87b999f92a	refactoring	2019-12-23 00:59:43 -05:00
Patrick Schleizer	065ff4bd05	sanity_tests	2019-12-23 00:59:24 -05:00
Patrick Schleizer	fef1469fe6	exit non-zero if capability removal failed	2019-12-23 00:51:14 -05:00
Patrick Schleizer	17a8c29470	fix capability removal error handling https://forums.whonix.org/t/disable-suid-binaries/7706/45	2019-12-23 00:47:49 -05:00
Patrick Schleizer	b631e2ecd8	refactoring	2019-12-23 00:36:41 -05:00
Patrick Schleizer	7aea304549	comment	2019-12-23 00:26:15 -05:00
Patrick Schleizer	f4b1df02ee	Remove suid / gid and execute permission for 'group' and 'others'. Similar to: chmod og-ugx /path/to/filename Removing execution permission is useful to make binaries such as 'su' fail closed rather than fail open if suid was removed from these. Do not remove read access since no security benefit and easier to manually undo for users. chmod 744	2019-12-22 19:42:40 -05:00
Patrick Schleizer	d300db3cde	output	2019-12-21 14:45:11 -05:00
Patrick Schleizer	3921846df6	comment	2019-12-21 14:36:42 -05:00
Patrick Schleizer	1e8457ea47	no longer remount /lib https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25	2019-12-21 14:06:10 -05:00
Patrick Schleizer	10c19d6a8f	Merge remote-tracking branch 'origin/master'	2019-12-21 13:00:41 -05:00
madaidan	f5a52aeddc	Don't remount /sys/kernel/security	2019-12-21 14:55:28 +00:00
Patrick Schleizer	b2260f48f4	add support for /etc/exec / /usr/local/etc/exec to allow enabling exec on a per VM basis	2019-12-21 08:03:33 -05:00
Patrick Schleizer	b74e5ca972	comment	2019-12-21 07:47:00 -05:00
Patrick Schleizer	8fb17624bc	comment	2019-12-21 07:44:51 -05:00
Patrick Schleizer	aef796a524	disable debugging	2019-12-21 07:44:23 -05:00
Patrick Schleizer	1fe83d683f	comment	2019-12-21 07:43:55 -05:00
Patrick Schleizer	7c3da38bd5	comment	2019-12-21 07:42:25 -05:00
Patrick Schleizer	9050058bc2	fix	2019-12-21 07:42:01 -05:00
Patrick Schleizer	6b13a644df	add /usr/lib/security-misc/permission-hardening-undo	2019-12-21 07:37:41 -05:00
Patrick Schleizer	c336bc4fd2	comment	2019-12-21 06:39:13 -05:00
Patrick Schleizer	b5f88efe20	fix	2019-12-21 06:27:01 -05:00
Patrick Schleizer	2088628c8d	debugging	2019-12-21 06:24:08 -05:00
Patrick Schleizer	2dca031527	debugging	2019-12-21 06:22:46 -05:00
Patrick Schleizer	195e00cc87	output	2019-12-21 06:16:38 -05:00
Patrick Schleizer	4b21b6df41	fix	2019-12-21 06:11:44 -05:00
Patrick Schleizer	8436da2b7b	output	2019-12-21 05:58:50 -05:00
Patrick Schleizer	da15265e1c	fix	2019-12-21 05:55:23 -05:00
Patrick Schleizer	2a248fe0de	fix	2019-12-21 05:54:39 -05:00
Patrick Schleizer	4f12664362	output	2019-12-21 05:54:07 -05:00
Patrick Schleizer	e3355843c8	fix	2019-12-21 05:51:22 -05:00

... 3 4 5 6 7 ...

714 Commits