Commit Graph

393 Commits

Author SHA1 Message Date
Patrick Schleizer
fef1469fe6
exit non-zero if capability removal failed 2019-12-23 00:51:14 -05:00
Patrick Schleizer
17a8c29470
fix capability removal error handling
https://forums.whonix.org/t/disable-suid-binaries/7706/45
2019-12-23 00:47:49 -05:00
Patrick Schleizer
b631e2ecd8
refactoring 2019-12-23 00:36:41 -05:00
Patrick Schleizer
7aea304549
comment 2019-12-23 00:26:15 -05:00
Patrick Schleizer
f4b1df02ee
Remove suid / gid and execute permission for 'group' and 'others'.
Similar to: chmod og-ugx /path/to/filename

Removing execution permission is useful to make binaries such as 'su' fail closed rather
than fail open if suid was removed from these.

Do not remove read access since no security benefit and easier to manually undo for users.

chmod 744
2019-12-22 19:42:40 -05:00
Patrick Schleizer
d300db3cde
output 2019-12-21 14:45:11 -05:00
Patrick Schleizer
3921846df6
comment 2019-12-21 14:36:42 -05:00
Patrick Schleizer
1e8457ea47
no longer remount /lib
https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25
2019-12-21 14:06:10 -05:00
Patrick Schleizer
10c19d6a8f
Merge remote-tracking branch 'origin/master' 2019-12-21 13:00:41 -05:00
madaidan
f5a52aeddc
Don't remount /sys/kernel/security 2019-12-21 14:55:28 +00:00
Patrick Schleizer
b2260f48f4
add support for /etc/exec / /usr/local/etc/exec
to allow enabling exec on a per VM basis
2019-12-21 08:03:33 -05:00
Patrick Schleizer
b74e5ca972
comment 2019-12-21 07:47:00 -05:00
Patrick Schleizer
8fb17624bc
comment 2019-12-21 07:44:51 -05:00
Patrick Schleizer
aef796a524
disable debugging 2019-12-21 07:44:23 -05:00
Patrick Schleizer
1fe83d683f
comment 2019-12-21 07:43:55 -05:00
Patrick Schleizer
7c3da38bd5
comment 2019-12-21 07:42:25 -05:00
Patrick Schleizer
9050058bc2
fix 2019-12-21 07:42:01 -05:00
Patrick Schleizer
6b13a644df
add /usr/lib/security-misc/permission-hardening-undo 2019-12-21 07:37:41 -05:00
Patrick Schleizer
c336bc4fd2
comment 2019-12-21 06:39:13 -05:00
Patrick Schleizer
b5f88efe20
fix 2019-12-21 06:27:01 -05:00
Patrick Schleizer
2088628c8d
debugging 2019-12-21 06:24:08 -05:00
Patrick Schleizer
2dca031527
debugging 2019-12-21 06:22:46 -05:00
Patrick Schleizer
195e00cc87
output 2019-12-21 06:16:38 -05:00
Patrick Schleizer
4b21b6df41
fix 2019-12-21 06:11:44 -05:00
Patrick Schleizer
8436da2b7b
output 2019-12-21 05:58:50 -05:00
Patrick Schleizer
da15265e1c
fix 2019-12-21 05:55:23 -05:00
Patrick Schleizer
2a248fe0de
fix 2019-12-21 05:54:39 -05:00
Patrick Schleizer
4f12664362
output 2019-12-21 05:54:07 -05:00
Patrick Schleizer
e3355843c8
fix 2019-12-21 05:51:22 -05:00
Patrick Schleizer
234ec5fe93
fix 2019-12-21 05:47:35 -05:00
Patrick Schleizer
7ff900c204
fix 2019-12-21 05:37:43 -05:00
Patrick Schleizer
e1a5ee4bcf
output 2019-12-21 05:26:55 -05:00
Patrick Schleizer
66aaf3e22c
output 2019-12-21 05:25:54 -05:00
Patrick Schleizer
7aa7d0b5a0
improve error handling 2019-12-21 05:22:27 -05:00
Patrick Schleizer
8919d38de9
disable debugging 2019-12-21 05:21:46 -05:00
Patrick Schleizer
cf5dee64fd
refactoring 2019-12-21 05:18:34 -05:00
Patrick Schleizer
29cd9a0c38
fix 2019-12-21 05:17:35 -05:00
Patrick Schleizer
486027a4d7
fix 2019-12-21 05:15:38 -05:00
Patrick Schleizer
1fd26be864
fix 2019-12-21 05:14:51 -05:00
Patrick Schleizer
0fc97c37be
fix 2019-12-21 05:14:39 -05:00
Patrick Schleizer
1018d5b3b0
output 2019-12-21 05:11:51 -05:00
Patrick Schleizer
4388fc4d5a
refactoring 2019-12-21 05:11:19 -05:00
Patrick Schleizer
ed20980f4c
refactoring 2019-12-21 05:07:10 -05:00
Patrick Schleizer
315ce86b9a
refactoring 2019-12-21 04:33:03 -05:00
Patrick Schleizer
0c5848494b
do not remount if already has intended mount options 2019-12-21 04:21:26 -05:00
Patrick Schleizer
203f4ad46e
refactoring 2019-12-21 04:17:10 -05:00
Patrick Schleizer
e7fd0dadb0
output 2019-12-21 04:09:35 -05:00
Patrick Schleizer
e6ea21c775
record existing modes in separate dpkg-statoverwrite databases
to have a history of what was modified and to allow to undo changes
2019-12-21 04:08:35 -05:00
Patrick Schleizer
17e8605119
add matchwhitelist feature
add "/usr/lib/virtualbox/ matchwhitelist"
2019-12-20 12:57:24 -05:00
Patrick Schleizer
1b569ea790
comment 2019-12-20 12:32:36 -05:00
Patrick Schleizer
f88ca25889
fix terminology, sguid -> sgid
Thanks to @madaidan for the bug report!

https://forums.whonix.org/t/permission-hardening/8655/21
2019-12-20 11:58:07 -05:00
Patrick Schleizer
ff0a26fb5d
comment 2019-12-20 11:49:19 -05:00
Patrick Schleizer
71496a33ab
skip folders are these are not suid / guid 2019-12-20 11:47:53 -05:00
Patrick Schleizer
9321ecff41
no more need to add/remove / 2019-12-20 11:43:53 -05:00
Patrick Schleizer
b95225b6a6
pipefail 2019-12-20 11:37:05 -05:00
Patrick Schleizer
cad6f328f4
minor 2019-12-20 11:34:44 -05:00
Patrick Schleizer
3265f9894d
output 2019-12-20 11:27:43 -05:00
Patrick Schleizer
1615ebec58
output 2019-12-20 11:07:44 -05:00
Patrick Schleizer
1e11b775cf
output 2019-12-20 11:05:05 -05:00
Patrick Schleizer
731f802895
output 2019-12-20 11:04:12 -05:00
Patrick Schleizer
cd8efe5800
output 2019-12-20 11:03:22 -05:00
Patrick Schleizer
b31abea0af
improve error handling 2019-12-20 10:49:31 -05:00
Patrick Schleizer
79cd3b86b6
comment 2019-12-20 10:47:23 -05:00
Patrick Schleizer
b3458cc6ee
fix checking existing entries to avoid needless calls to dpkg-statoverride 2019-12-20 10:45:59 -05:00
Patrick Schleizer
370f3c5e54
comment 2019-12-20 10:35:05 -05:00
Patrick Schleizer
133d09f298
output 2019-12-20 10:33:16 -05:00
Patrick Schleizer
1ffa8e197e
speed up setuid removal by using find with '-perm /u=s,g=s'
https://forums.whonix.org/t/permission-hardening/8655/19
2019-12-20 10:31:26 -05:00
Patrick Schleizer
4cfdf2c65b
fix, re-enforce nosuid even if changed on the disk 2019-12-20 10:21:27 -05:00
Patrick Schleizer
e36868e675
output 2019-12-20 10:02:46 -05:00
Patrick Schleizer
50b8f65490
add sanity test: count if we really processed all files 2019-12-20 09:59:28 -05:00
Patrick Schleizer
55faa7b997
fix missing processing files bug
https://forums.whonix.org/t/permission-hardening/8655/16
2019-12-20 09:43:23 -05:00
Patrick Schleizer
fbe2479f48
count processed file system objects
to be able to verify if any were "forgotten"
2019-12-20 08:54:56 -05:00
Patrick Schleizer
195ea522f5
fix 2019-12-20 08:52:14 -05:00
Patrick Schleizer
6f8231be70
debugging 2019-12-20 08:51:55 -05:00
Patrick Schleizer
ed50f98010
output 2019-12-20 08:47:22 -05:00
Patrick Schleizer
6d30e3b4a2
do not remove suid from whitelisted binaries ever
https://forums.whonix.org/t/permission-hardening/8655/13
2019-12-20 08:13:23 -05:00
Patrick Schleizer
d5f1bd8dd2
fix mode sanity check
no longer use seq due to issue

https://forums.whonix.org/t/permission-hardening/8655/13
2019-12-20 08:02:30 -05:00
Patrick Schleizer
0ae3e689b5
comment 2019-12-20 06:35:02 -05:00
Patrick Schleizer
050f4d8b94
comment 2019-12-20 06:34:37 -05:00
Patrick Schleizer
36043fe5cc
comment 2019-12-20 06:33:41 -05:00
Patrick Schleizer
fb4254547b
comment 2019-12-20 06:32:04 -05:00
Patrick Schleizer
cca0908d9a
fix 2019-12-20 06:11:38 -05:00
Patrick Schleizer
e254b8b52d
fix 2019-12-20 06:09:17 -05:00
Patrick Schleizer
7f8b3c76de
output 2019-12-20 06:02:17 -05:00
Patrick Schleizer
071c64dc41
enable 'set -e' 2019-12-20 06:01:49 -05:00
Patrick Schleizer
b97c66707c
minor 2019-12-20 05:59:05 -05:00
Patrick Schleizer
17b4f12276
output 2019-12-20 05:58:42 -05:00
Patrick Schleizer
918cbb4e25
output 2019-12-20 05:51:25 -05:00
Patrick Schleizer
c8cf09a4cb
output 2019-12-20 05:50:16 -05:00
Patrick Schleizer
46466c12ad
parse drop-in config folder rather than only one config file 2019-12-20 05:49:11 -05:00
Patrick Schleizer
66fd31189d
improve output if set-user-id / set-group-id is set 2019-12-20 05:37:33 -05:00
Patrick Schleizer
6dd6530fa5
remove hardening-enable
please invent package security-paranoid instead

https://forums.whonix.org/t/security-hardening-tool-usr-bin-hardening-enable-by-security-misc/8609
2019-12-20 05:32:26 -05:00
Patrick Schleizer
af0f074987
remount /lib with nosuid,nodev
https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/22
2019-12-20 05:27:11 -05:00
Patrick Schleizer
a135ae9400
use must manually enable permission-hardening.service
until development finished
2019-12-20 05:22:59 -05:00
Patrick Schleizer
fa6f1e1568
output 2019-12-20 05:19:39 -05:00
Patrick Schleizer
a26cb94bfd
globstar no longer required 2019-12-20 04:49:21 -05:00
Patrick Schleizer
c66e9abe18
comment 2019-12-20 04:48:57 -05:00
Patrick Schleizer
d1d0afff34
fix
fso: /lib/
usr/lib/security-misc/permission-hardening: line 19: /usr/bin/stat: Argument list too long

https://forums.whonix.org/t/kernel-hardening/7296/326
2019-12-20 04:48:02 -05:00
Patrick Schleizer
e74d2e4f94
output 2019-12-20 04:23:14 -05:00
Patrick Schleizer
eb86359033
refactoring 2019-12-20 04:20:05 -05:00
Patrick Schleizer
bb84fca184
refactoring 2019-12-20 04:08:46 -05:00
Patrick Schleizer
f92b414195
refactoring 2019-12-20 04:06:28 -05:00
Patrick Schleizer
4c44871e9d
comment 2019-12-20 04:02:05 -05:00
Patrick Schleizer
6876a2eaa8
comment 2019-12-20 04:01:40 -05:00
Patrick Schleizer
35c4fce61b
fix "dpkg-statoverride: warning: stripping trailing /" 2019-12-20 03:54:46 -05:00
Patrick Schleizer
9bd9012ab1
refactoring 2019-12-20 03:46:50 -05:00
Patrick Schleizer
55933f8876
refactoring 2019-12-20 03:43:36 -05:00
Patrick Schleizer
9e493a9f48
refactoring 2019-12-20 03:42:09 -05:00
Patrick Schleizer
b92a690c16
refactoring 2019-12-20 03:40:47 -05:00
Patrick Schleizer
98535e3a2b
refactoring 2019-12-20 03:39:25 -05:00
Patrick Schleizer
ecbba2fd61
refactoring 2019-12-20 03:38:39 -05:00
Patrick Schleizer
20b8a407ac
refactoring 2019-12-20 03:25:17 -05:00
Patrick Schleizer
6cd9eb44fb
refactoring 2019-12-20 03:24:07 -05:00
Patrick Schleizer
706dba104d
code simplification 2019-12-20 03:19:12 -05:00
Patrick Schleizer
01dd567f8b
fix, if fso has exactly the mode we want (not 3 instead of 4 string length), not need to reset it 2019-12-20 03:16:43 -05:00
Patrick Schleizer
4f65b0fc1e
refactoring 2019-12-20 03:13:27 -05:00
Patrick Schleizer
bfee6b60cb
comment 2019-12-20 03:11:11 -05:00
Patrick Schleizer
d64cdc1247
refactoring 2019-12-20 03:04:41 -05:00
Patrick Schleizer
7c5c65a6c1
comment 2019-12-20 03:04:13 -05:00
Patrick Schleizer
b31d8cd3fc
fix 2019-12-20 03:03:40 -05:00
Patrick Schleizer
c626290673
refactoring 2019-12-20 03:02:26 -05:00
Patrick Schleizer
d5ff1d6f28
refactoring 2019-12-20 03:00:39 -05:00
Patrick Schleizer
640ca1d24d
skip symlinks
https://forums.whonix.org/t/kernel-hardening/7296/323?
2019-12-20 02:57:57 -05:00
Patrick Schleizer
cc8f795799
comment 2019-12-20 02:47:04 -05:00
Patrick Schleizer
4e5b222a08
comment 2019-12-20 02:43:33 -05:00
Patrick Schleizer
fa895ee11e
refactoring 2019-12-20 02:40:42 -05:00
Patrick Schleizer
2c163bf439
check string length of permission variable
https://forums.whonix.org/t/kernel-hardening/7296/322
2019-12-20 02:39:53 -05:00
Patrick Schleizer
a89befd902
code simplification 2019-12-20 02:20:54 -05:00
Patrick Schleizer
72812da63f
comment 2019-12-20 02:16:32 -05:00
Patrick Schleizer
39a41cc27b
refactoring 2019-12-20 02:14:45 -05:00
Patrick Schleizer
2ed6452590
downgrade to info 2019-12-20 02:12:43 -05:00
Patrick Schleizer
a5e55dfcfc
quotes 2019-12-20 02:11:39 -05:00
Patrick Schleizer
3187cee4fb
output 2019-12-20 02:10:13 -05:00
Patrick Schleizer
5160b4c781
disable xtrace 2019-12-20 02:08:05 -05:00
Patrick Schleizer
27bfe95d25
add echo wrapper 2019-12-20 02:07:49 -05:00
Patrick Schleizer
a6988f3fb8
output 2019-12-20 02:06:31 -05:00
Patrick Schleizer
1819577b88
fix 2019-12-20 02:04:34 -05:00
Patrick Schleizer
278c60c5a0
exit non-zero if some line cannot be parsed
therefore make systemd notice this

therefore allow the sysadmin to notice this
2019-12-20 02:01:36 -05:00
Patrick Schleizer
66bcba8313
improve character whitelisting 2019-12-20 01:58:35 -05:00
Patrick Schleizer
8f14e808a9
send error messages to stderr 2019-12-20 01:32:49 -05:00
Patrick Schleizer
d8c9fac2e5
output 2019-12-20 01:32:08 -05:00
Patrick Schleizer
f19abaf627
refactoring 2019-12-20 01:31:37 -05:00
madaidan
3c2ca0257f
Support for removing SUID bits 2019-12-19 17:01:08 +00:00
Patrick Schleizer
4ca9fc5920
fix 2019-12-16 03:53:10 -05:00
Patrick Schleizer
f68efd53cf
remount /sys/kernel/security with nodev,nosuid[,noexec]
as suggested by @madaidan

http://forums.whonix.org/t/apparmor-for-complete-system-including-init-pid1-systemd-everything-full-system-mac-policy/8339/238
2019-12-16 03:52:09 -05:00
Patrick Schleizer
300f010fc2
increase priority of pam-abort-on-locked-password-security-misc
since it has its own user help output

so it shows before pam tally2 info

to avoid duplicate non-applicable help text
2019-12-12 09:29:00 -05:00
Patrick Schleizer
729fa26eca
use pam_acccess only for /etc/pam.d/login
remove "Allow members of group 'ssh' to login."
remove "+:ssh:ALL EXCEPT LOCAL"
2019-12-12 09:00:08 -05:00
Patrick Schleizer
b72eb30056
quotes 2019-12-09 02:32:05 -05:00
Patrick Schleizer
c258376b7e
use read (built-in) rather than awk (external) 2019-12-09 02:31:10 -05:00
Patrick Schleizer
02165201ab
read -r; refactoring
as per https://mywiki.wooledge.org/BashFAQ/001
2019-12-09 02:23:43 -05:00